Recently, I was trying to create a launch configuration using an AWS IAM Role that I had created through CloudFormation but it was just not letting me, throwing this error:
$ aws autoscaling create-launch-configuration --launch-configuration-name serge-lc-with-instance-profile \ > --image-id ami-baba68d3 --instance-type t2.micro \ > --iam-instance-profile MyCloudWatchAgentRole An error occurred (ValidationError) when calling the CreateLaunchConfiguration operation: Invalid IamInstanceProfile: MyCloudWatchAgentRole
After a bit of digging around the AWS Console, I realised you can only attach Roles that have an “instance profile” to EC2 instances. This was relatively straight forward to fix, but left me wondering “what’s an instance profile?” and “why do I need one?”. After a bit of searching around, I found this great example on Quora: https://www.quora.com/In-AWS-what-is-the-difference-between-a-role-and-an-instance-profile
With the two parts of access control (authentication and authorization) the Role fills the “authz” bit and the “profile” fills the “authn” bit. I’m not sure why this matters to be honest. I don’t think any other services other than EC2 use profiles.
One guess is that without this, perhaps it’d be hard/impossible to figure out “which instance(s)” carried out a particular action, this being a problem that maybe doesn’t apply to other services? Wonder if Lambda has “profiles”?