or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

docs

access-keys-credentials.mdaccount-management.mdclient-config.mdgroups-roles.mdidentity-providers.mdindex.mdinstance-profiles.mdmfa-devices.mdpolicy-management.mduser-management.md
tile.json

instance-profiles.mddocs/

Instance Profiles

Instance profile management for providing AWS credentials to Amazon EC2 instances and other AWS compute services through IAM roles.

Capabilities

Create Instance Profile

Creates a new instance profile that can contain IAM roles for EC2 instances and other AWS services.

/**
 * Creates a new instance profile
 * @param InstanceProfileName - The name of the instance profile to create
 * @param Path - The path to the instance profile (default: /)
 * @param Tags - List of tags to attach to the instance profile
 */
interface CreateInstanceProfileCommandInput {
  InstanceProfileName: string;
  Path?: string;
  Tags?: Tag[];
}

interface CreateInstanceProfileCommandOutput {
  InstanceProfile: InstanceProfile;
}

Usage Example:

import { IAMClient, CreateInstanceProfileCommand } from "@aws-sdk/client-iam";

const client = new IAMClient({ region: "us-east-1" });

const command = new CreateInstanceProfileCommand({
  InstanceProfileName: "EC2-S3-Access-Profile",
  Path: "/ec2/",
  Tags: [
    { Key: "Environment", Value: "Production" },
    { Key: "Service", Value: "WebApp" }
  ]
});

const result = await client.send(command);
console.log("Instance Profile created:", result.InstanceProfile.Arn);

Get Instance Profile

Retrieves information about the specified instance profile, including the roles contained in it.

/**
 * Retrieves information about the specified instance profile
 * @param InstanceProfileName - The name of the instance profile to get information about
 */
interface GetInstanceProfileCommandInput {
  InstanceProfileName: string;
}

interface GetInstanceProfileCommandOutput {
  InstanceProfile: InstanceProfile;
}

List Instance Profiles

Lists the instance profiles that have the specified path prefix.

/**
 * Lists the instance profiles that have the specified path prefix
 * @param PathPrefix - The path prefix for filtering the results (optional)
 * @param Marker - Use this parameter only when paginating results
 * @param MaxItems - Maximum number of items to return
 */
interface ListInstanceProfilesCommandInput {
  PathPrefix?: string;
  Marker?: string;
  MaxItems?: number;
}

interface ListInstanceProfilesCommandOutput {
  InstanceProfiles: InstanceProfile[];
  IsTruncated?: boolean;
  Marker?: string;
}

List Instance Profiles for Role

Lists the instance profiles that contain the specified role.

/**
 * Lists the instance profiles that contain the specified role
 * @param RoleName - The name of the role to list instance profiles for
 * @param Marker - Use this parameter only when paginating results
 * @param MaxItems - Maximum number of items to return
 */
interface ListInstanceProfilesForRoleCommandInput {
  RoleName: string;
  Marker?: string;
  MaxItems?: number;
}

interface ListInstanceProfilesForRoleCommandOutput {
  InstanceProfiles: InstanceProfile[];
  IsTruncated?: boolean;
  Marker?: string;
}

Add Role to Instance Profile

Adds the specified IAM role to the specified instance profile. An instance profile can contain only one role.

/**
 * Adds the specified IAM role to the specified instance profile
 * @param InstanceProfileName - The name of the instance profile to update
 * @param RoleName - The name of the role to add
 */
interface AddRoleToInstanceProfileCommandInput {
  InstanceProfileName: string;
  RoleName: string;
}

Usage Example:

import { IAMClient, AddRoleToInstanceProfileCommand } from "@aws-sdk/client-iam";

const command = new AddRoleToInstanceProfileCommand({
  InstanceProfileName: "EC2-S3-Access-Profile",
  RoleName: "EC2-S3-Read-Role"
});

await client.send(command);
console.log("Role added to instance profile successfully");

Remove Role from Instance Profile

Removes the specified IAM role from the specified instance profile.

/**
 * Removes the specified IAM role from the specified instance profile
 * @param InstanceProfileName - The name of the instance profile to update
 * @param RoleName - The name of the role to remove
 */
interface RemoveRoleFromInstanceProfileCommandInput {
  InstanceProfileName: string;
  RoleName: string;
}

Delete Instance Profile

Deletes the specified instance profile. The instance profile must not have any policies attached or contain any roles.

/**
 * Deletes the specified instance profile
 * @param InstanceProfileName - The name of the instance profile to delete
 */
interface DeleteInstanceProfileCommandInput {
  InstanceProfileName: string;
}

Instance Profile Tagging

Tag and untag instance profiles for organization and access control.

/**
 * Adds one or more tags to an IAM instance profile
 * @param InstanceProfileName - The name of the instance profile to tag
 * @param Tags - List of tags to attach to the instance profile
 */
interface TagInstanceProfileCommandInput {
  InstanceProfileName: string;
  Tags: Tag[];
}

/**
 * Removes the specified tags from the IAM instance profile
 * @param InstanceProfileName - The name of the instance profile to untag
 * @param TagKeys - List of tag keys to remove
 */
interface UntagInstanceProfileCommandInput {
  InstanceProfileName: string;
  TagKeys: string[];
}

/**
 * Lists the tags attached to the specified IAM instance profile
 * @param InstanceProfileName - The name of the instance profile
 * @param Marker - Use this parameter only when paginating results
 * @param MaxItems - Maximum number of items to return
 */
interface ListInstanceProfileTagsCommandInput {
  InstanceProfileName: string;
  Marker?: string;
  MaxItems?: number;
}

interface ListInstanceProfileTagsCommandOutput {
  Tags: Tag[];
  IsTruncated?: boolean;
  Marker?: string;
}

Types

interface InstanceProfile {
  Path: string;
  InstanceProfileName: string;
  InstanceProfileId: string;
  Arn: string;
  CreateDate: Date;
  Roles: Role[];
  Tags?: Tag[];
}

Common Usage Patterns

EC2 Instance Access

Instance profiles are the standard way to provide AWS credentials to EC2 instances:

// 1. Create an IAM role with necessary permissions
const createRoleCommand = new CreateRoleCommand({
  RoleName: "EC2-S3-Access-Role",
  AssumeRolePolicyDocument: JSON.stringify({
    "Version": "2012-10-17",
    "Statement": [{
      "Effect": "Allow",
      "Principal": { "Service": "ec2.amazonaws.com" },
      "Action": "sts:AssumeRole"
    }]
  })
});

// 2. Attach policies to the role
const attachPolicyCommand = new AttachRolePolicyCommand({
  RoleName: "EC2-S3-Access-Role",
  PolicyArn: "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
});

// 3. Create instance profile
const createProfileCommand = new CreateInstanceProfileCommand({
  InstanceProfileName: "EC2-S3-Access-Profile"
});

// 4. Add role to instance profile
const addRoleCommand = new AddRoleToInstanceProfileCommand({
  InstanceProfileName: "EC2-S3-Access-Profile",
  RoleName: "EC2-S3-Access-Role"
});

Container Service Integration

Instance profiles work with various AWS compute services:

  • Amazon ECS: Tasks can use instance profiles through EC2 launch type
  • Amazon EKS: Worker nodes use instance profiles for cluster operations
  • AWS Batch: Compute environments use instance profiles for job execution
  • AWS Lambda: Not applicable (Lambda uses execution roles directly)

Best Practices

Security:

  • Follow principle of least privilege when attaching policies to roles
  • Use specific resource ARNs in policies rather than wildcards
  • Regularly review and rotate instance profile permissions
  • Monitor instance profile usage through CloudTrail

Organization:

  • Use descriptive names that indicate the service and purpose
  • Implement consistent tagging strategy for cost allocation and management
  • Use path prefixes to organize instance profiles by environment or service
  • Document the intended use case for each instance profile

Management:

  • One instance profile per EC2 instance (limit of one role per instance profile)
  • Create instance profiles in the same region as your EC2 instances
  • Use automation (CloudFormation, Terraform) for consistent deployment
  • Test instance profile permissions before deploying to production

Relationship with Other IAM Resources

Roles: Instance profiles contain exactly one IAM role that defines the permissions Policies: Permissions are granted through policies attached to the role within the instance profile EC2 Instances: Instances reference instance profiles to obtain temporary credentials Service-Linked Roles: Some AWS services create instance profiles automatically

Common Workflow

  1. Create IAM Role - Define trust policy allowing EC2 service to assume the role
  2. Attach Policies - Grant necessary permissions to the role
  3. Create Instance Profile - Container for the role that EC2 can reference
  4. Add Role to Profile - Associate the role with the instance profile
  5. Attach to EC2 - Launch instances with the instance profile attached
  6. Monitor Usage - Track credential usage and access patterns