Using IAM Roles with EC2 in AWS Console

[UPDATED – 21June2012] Amazon has corrected the problem in the AWS Console. You can now view IAM Roles in the EC2 “Advanced Details” tab so long as you follow these instructions in the AWS blog.

The rest of this blog post is now unnecessary. Just follow the blog instructions above.


DEPRECATED – do not follow these instructions. I have left the blog post here for historical purposes only. On June 11th, Amazon announced the addition of Roles to AWS. This feature allows you to automatically assign IAM permissions to a specific “Role”, assign an EC2 instance to that roles, and have the appropriate AWS keys automatically distributed to the instances. No more key management in EC2!!! This makes secure deployments in EC2 much, much easier.

You can read more about using this feature on the AWS Blog. To make it easier to get started, the AWS Docs include an article on the permission to grant users on the AWS Console. That article is helpful, but unfortunately incomplete. If you follow it as described, and try to create a new EC2 instance, you’ll discover that you cannot select a new Role from the “Advanced Details” tab: instead of giving a list of roles, the popup will say “Loading failed”.

You might try to fix this problem by granting some other combination of IAM permissions. Sadly, nothing will work, including granting all 70 permissions that currently show in the policy editor. The only thing that does work is to use a wide-open IAM policy:

{
  "Statement": [
    {
      "Sid": "Stmt1",
      "Action": [
        "iam:*",
      ],
      "Effect": "Allow",
      "Resource": [
        "*"
      ]
    }
  ]
}

But of course, that grants permissions for users to do anything in IAM. Obviously not what you want.

It turns out there is a problem in the AWS Console at the time of this blog post. As you might have guessed from the above example, there is either a bug somewhere, or a permission you need that is not listed in the Policy Generator. To get Roles working in the AWS console, you need to add a short wildcard to your IAM policy. Here is the policy I am using:

** sample code removed - no longer necessary **

The key is on line 10. There appears to be an undocumented ListInstance permission required by the AWS console. The wildcard “ListInstance*” grants it. Once you add this permission, listing Roles in the AWS console will begin to work.

Hope this helps, and have fun with the new feature.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s