Switch from one IAM role to another

  • Using roles to grant permissions to applications that run on EC2 instances requires a bit of extra configuration.

  • An application running on an EC2 instance is abstracted from AWS by the virtualized operating system.

    • Because of this extra separation, an instance profile is needed to assign an AWS role and its associated permissions to an EC2 instance and make them available to its applications.

  • The instance profile contains the role and can provide the role's temporary credentials to an application that runs on the instance.

    • Those temporary credentials can then be used in the application's API calls to access resources and to limit access to only those resources that the role specifies.

  • Only one role can be assigned to an EC2 instance at a time, and all applications on the instance share the same role and permissions.

Using roles in this way has several benefits

  • Role credentials are temporary and rotated automatically = Don't have to manage credentials = Don't have to worry about long-term security risks.

  • Single role for multiple instances = Make a change to that one role and the change is propagated automatically to all the instances.

  • If your current permissions grant you the ability to assume a specific IAM role, then you can identify that role in a "profile" in the AWS CLI configuration files and that command is then run with the permissions of the specified IAM role, not the original identity.

Named Profile in AWS CLI

  • A named profile is a collection of settings and credentials that you can apply to a AWS CLI command.

  • When you specify a profile to run a command, the settings and credentials are used to run that command.

  • You can specify one profile that is the "default", and is used when no profile is explicitly referenced.

  • Other profiles have names that you can specify as a parameter on the command line for individual commands.

  • AWS CLI supports using any of multiple named profiles that are stored in the config and credentials files.

  • You can configure additional profiles by using aws configure with the --profile option, or by adding entries to the config and credentials files.

PreviousTrack changes in each user's IAM permissionsNextRemoving the default FullAWSAccess SCP

Last updated

Was this helpful?