This is a quick note to remind me on how to attach or associate an instance profile (IAM role) to an EC2 instance using AWS CLI. There is a bonus section at the end to show how to replace one IAM role with another one directly.

In this example, I already have a running EC2 instance i-0357ecc1111111111 running. I want to attach a new instance profile called SSMInstanceProfile to this instance. But as we all know, only one instance profile can be associated with an EC2 instance at one time. So, let’s check to see if our instance already has one attached:

➜ aws ec2 describe-iam-instance-profile-associations \
  --filters Name=instance-id,Values=i-0357ecc1111111111
{
    "IamInstanceProfileAssociations": [
        {
            "AssociationId": "iip-assoc-0fc5cfe9d51bdc0a7",
            "InstanceId": "i-0357ecc1111111111",
            "IamInstanceProfile": {
                "Arn": "arn:aws:iam::14488888888:instance-profile/ec2-full-access-s3",
                "Id": "AIPASDMEX2OOOOOOOOOOO"
            },
            "State": "associated"
        }
    ]
}

From the output above, we can see currently the instance profile ec2-full-acces-s3 is associated with this instance. Therefore, before we can associate the SSMInstanceProfile, we need disassociate ec2-ful-access-s3 first. Alternatively, we can also just run the replace-iam-instance-profile-association command to replace the instance profile.

Let’s try the first method, by running the disassociate-iam-instance-profile command to detach the instance profile:

➜ aws ec2 disassociate-iam-instance-profile \
  --association-id iip-assoc-0fc5cfe9d51bdc0a7
{
    "IamInstanceProfileAssociation": {
        "AssociationId": "iip-assoc-0fc5cfe9d51bdc0a7",
        "InstanceId": "i-0357ecc1111111111",
        "IamInstanceProfile": {
            "Arn": "arn:aws:iam::14488888888:instance-profile/ec2-full-access-s3",
            "Id": "AIPASDMEX2OOOOOOOOOOO"
        },
        "State": "disassociating"
    }
}

Wait for a few seconds, and verify it:

➜ aws ec2 describe-iam-instance-profile-associations \
  --filters Name=instance-id,Values=i-0357ecc1111111111
{
    "IamInstanceProfileAssociations": []
}

Okay, now we can attach a new role by running associate-iam-instance-profile command as below:

➜ aws ec2 associate-iam-instance-profile \
  --iam-instance-profile Name=SSMInstanceProfile \
  --instance-id i-0357ecc1111111111
{
    "IamInstanceProfileAssociation": {
        "AssociationId": "iip-assoc-0f6df1f50757a8f05",
        "InstanceId": "i-0357ecc1111111111",
        "IamInstanceProfile": {
            "Arn": "arn:aws:iam::14488888888:instance-profile/SSMInstanceProfile",
            "Id": "AIPASDMEX2OOOOOOOOOOO"
        },
        "State": "associating"
    }
}

Again, wait a few seconds, then verify it:

➜ aws ec2 describe-iam-instance-profile-associations \
  --filters Name=instance-id,Values=i-0357ecc1111111111
{
    "IamInstanceProfileAssociations": [
        {
            "AssociationId": "iip-assoc-0f6df1f50757a8f05",
            "InstanceId": "i-0357ecc1111111111",
            "IamInstanceProfile": {
                "Arn": "arn:aws:iam::14488888888:instance-profile/SSMInstanceProfile",
                "Id": "AIPASDMEX2OOOOOOOOOOO"
            },
            "State": "associated"
        }
    ]
}

Bonus:

Instead of having to disassociate an existing attached IAM role, we can just replace it directly with another one. Let me show you how. Here, I’ll use the replace-iam-instance-profile-association command to replace SSMInstanceProfile back with ec2-full-access-s3.

➜ aws ec2 replace-iam-instance-profile-association \
  --iam-instance-profile Name=ec2-full-access-s3 \
  --association-id iip-assoc-0f6df1f50757a8f05
{
    "IamInstanceProfileAssociation": {
        "AssociationId": "iip-assoc-0d7e6755fcc666666",
        "InstanceId": "i-0357ecc1111111111",
        "IamInstanceProfile": {
            "Arn": "arn:aws:iam::14488888888:instance-profile/ec2-full-access-s3",
            "Id": "AIPASDMEX2OOOOOOOOOOO"
        },
        "State": "associating"
    }
}

Let’s verify the result:

➜ aws ec2 describe-iam-instance-profile-associations \
  --filters Name=instance-id,Values=i-0357ecc1111111111
{
    "IamInstanceProfileAssociations": [
        {
            "AssociationId": "iip-assoc-0d7e6755fcc666666",
            "InstanceId": "i-0357ecc1111111111",
            "IamInstanceProfile": {
                "Arn": "arn:aws:iam::14488888888:instance-profile/ec2-full-access-s3",
                "Id": "AIPASDMEX2OOOOOOOOOOO"
            },
            "State": "associated"
        }
    ]
}

Want to learn more about this? You can visit the AWS knowledge center article available at [1].

Reference: