1. Answers
  2. Provisioning IAM Instance Profiles with EC2 Launch Templates

How Do I Provision IAM Instance Profiles With EC2 Launch Templates on AWS?

Introduction

Provisioning IAM Instance Profiles with EC2 Launch Templates on AWS is an efficient way to manage and configure EC2 instances with predefined settings. An IAM Instance Profile provides the necessary permissions for EC2 instances to interact with other AWS services securely. By integrating it with an EC2 Launch Template, you can streamline the process of launching instances with these configurations.

Key Points

  • Create an IAM Role: This role includes a policy that grants access to specific AWS services.
  • Create an IAM Instance Profile: Associate this profile with the IAM Role to enable secure access.
  • Create an EC2 Launch Template: Use the IAM Instance Profile within the template to ensure instances have the required permissions.

Step-by-Step Explanation

  1. Create an IAM Role:

    • Define a role that EC2 instances can assume. This role should include a trust policy allowing EC2 to assume it.

  2. Attach a Policy to the IAM Role:

    • Attach a policy to the role that specifies the permissions required, such as access to S3 buckets.

  3. Create an IAM Instance Profile:

    • Create an instance profile and associate it with the IAM Role to facilitate secure service access.

  4. Create an EC2 Launch Template:

    • Define a launch template that specifies the instance type, AMI ID, and associates the IAM Instance Profile. This template will be used to launch EC2 instances with the predefined configurations.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// Create an IAM Role
const role = new aws.iam.Role("myRole", {
    assumeRolePolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Action: "sts:AssumeRole",
            Principal: {
                Service: "ec2.amazonaws.com",
            },
            Effect: "Allow",
            Sid: "",
        }],
    }),
});

// Attach a policy to the IAM Role
const rolePolicy = new aws.iam.RolePolicy("myRolePolicy", {
    role: role.id,
    policy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Action: [
                "s3:ListBucket",
                "s3:GetObject",
            ],
            Effect: "Allow",
            Resource: "*",
        }],
    }),
});

// Create an IAM Instance Profile
const instanceProfile = new aws.iam.InstanceProfile("myInstanceProfile", {
    role: role.name,
});

// Create an EC2 Launch Template
const launchTemplate = new aws.ec2.LaunchTemplate("myLaunchTemplate", {
    iamInstanceProfile: {
        name: instanceProfile.name,
    },
    imageId: "ami-0c55b159cbfafe1f0", // Example AMI ID, replace with a valid one
    instanceType: "t2.micro",
    keyName: "my-key-pair", // Replace with your key pair name
    tags: {
        Name: "MyLaunchTemplate",
    },
});

export const launchTemplateId = launchTemplate.id;
export const instanceProfileArn = instanceProfile.arn;

Summary

In this guide, we walked through the process of provisioning an IAM Instance Profile and associating it with an EC2 Launch Template. By creating an IAM Role with specific permissions, linking it to an IAM Instance Profile, and using an EC2 Launch Template, we ensure that the EC2 instances launched have the necessary permissions to access AWS services securely. This setup enhances security and simplifies the management of EC2 configurations.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up