Switch from one IAM role to another

Using roles to grant permissions to applications that run on EC2 instances requires a bit of extra configuration.
An application running on an EC2 instance is abstracted from AWS by the virtualized operating system.
- Because of this extra separation, an instance profile is needed to assign an AWS role and its associated permissions to an EC2 instance and make them available to its applications.
The instance profile contains the role and can provide the role's temporary credentials to an application that runs on the instance.
- Those temporary credentials can then be used in the application's API calls to access resources and to limit access to only those resources that the role specifies.
Only one role can be assigned to an EC2 instance at a time, and all applications on the instance share the same role and permissions.

Using roles in this way has several benefits

Role credentials are temporary and rotated automatically = Don't have to manage credentials = Don't have to worry about long-term security risks.
Single role for multiple instances = Make a change to that one role and the change is propagated automatically to all the instances.
If your current permissions grant you the ability to assume a specific IAM role, then you can identify that role in a "profile" in the AWS CLI configuration files and that command is then run with the permissions of the specified IAM role, not the original identity.

Named Profile in AWS CLI

A named profile is a collection of settings and credentials that you can apply to a AWS CLI command.
When you specify a profile to run a command, the settings and credentials are used to run that command.
You can specify one profile that is the "default", and is used when no profile is explicitly referenced.
Other profiles have names that you can specify as a parameter on the command line for individual commands.
AWS CLI supports using any of multiple named profiles that are stored in the config and credentials files.
You can configure additional profiles by using aws configure with the --profile option, or by adding entries to the config and credentials files.

PreviousTrack changes in each user's IAM permissions NextRemoving the default FullAWSAccess SCP

Last updated 3 years ago

Using roles in this way has several benefits

Role credentials are temporary and rotated automatically = Don't have to manage credentials = Don't have to worry about long-term security risks.

Single role for multiple instances = Make a change to that one role and the change is propagated automatically to all the instances.

If your current permissions grant you the ability to assume a specific IAM role, then you can identify that role in a "profile" in the AWS CLI configuration files and that command is then run with the permissions of the specified IAM role, not the original identity.

Named Profile in AWS CLI

A named profile is a collection of settings and credentials that you can apply to a AWS CLI command.

When you specify a profile to run a command, the settings and credentials are used to run that command.

You can specify one profile that is the "default", and is used when no profile is explicitly referenced.

Other profiles have names that you can specify as a parameter on the command line for individual commands.

AWS CLI supports using any of multiple named profiles that are stored in the config and credentials files.

You can configure additional profiles by using aws configure with the --profile option, or by adding entries to the config and credentials files.