AWS IAM “InstanceProfiles” are the “who”

Recently, I was trying to create a launch configuration using an AWS IAM Role that I had created through CloudFormation but it was just not letting me, throwing this error:

$ aws autoscaling create-launch-configuration --launch-configuration-name serge-lc-with-instance-profile \
> --image-id ami-baba68d3 --instance-type t2.micro \
> --iam-instance-profile MyCloudWatchAgentRole

An error occurred (ValidationError) when calling the CreateLaunchConfiguration operation: Invalid IamInstanceProfile: MyCloudWatchAgentRole

After a bit of digging around the AWS Console, I realised you can only attach Roles that have an “instance profile” to EC2 instances. This was relatively straight forward to fix, but left me wondering “what’s an instance profile?” and “why do I need one?”. After a bit of searching around, I found this great example on Quora: https://www.quora.com/In-AWS-what-is-the-difference-between-a-role-and-an-instance-profile

With the two parts of access control (authentication and authorization) the Role fills the “authz” bit and the “profile” fills the “authn” bit. I’m not sure why this matters to be honest. I don’t think any other services other than EC2 use profiles.

One guess is that without this, perhaps it’d be hard/impossible to figure out “which instance(s)” carried out a particular action, this being a problem that maybe doesn’t apply to other services? Wonder if Lambda has “profiles”?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.