AWS

How to Set-up EC2 with IAM roles (Step-by-Step Guide)

The IAM service of the aws is very powerful, it helps us to control each and every element of aws in an easy manner. Today we are going to learn about “Set-up EC2 with IAM roles”.

Question: Why we need IAM roles with EC2 Instances?

Answer: For example, We want to access the S3 bucket service of aws from an EC2 instance, then, in that case, we have the following two options available:

  1.  IAM user
  2. IAM roles

Problem with “IAM user” -> When we use the “IAM user” method to access the aws services from the CLI using the “aws cli”, then it creates and stores the “IAM user’s” credentials inside the “home directory” of the user under the “.aws” directory. As a result, if somehow the EC2 Instance got hacked, the hacker can access the “ACCESS ID” and “ACCESS KEY” of the “IAM user”, which is very dangerous.

Why use “IAM roles” -> When we use the “IAM roles” method, it does not store any information on the EC2 instance. That is why it is a preferable and secure method as compared to using “IAM user”.

Now that we know the power and reason for using the “IAM roles“, it is time to do some hands-on.

Step 1: Select the IAM service

From the aws dashboard, search for the “IAM” service and you will be seeing something like shown below, select it in order to get into the “IAM dashboard“.

Set-up EC2 with IAM roles
Select the IAM service from AWS dashboard

Step 2: Create a Role

When you enter into the “IAM dashboard” you will be seeing option similar to the ones shown in the screenshot below, from them select the “Roles” section from the “left-hand side” of yours.

After that, click on the “Create role” icon which is in blue color, as shown below.

Create a new IAM role
Create a new IAM role

After that, we have to specify, about which trusted entity we want to create the IAM role for, so in our case, we have selected the “AWS service” as a trusted entity.

Further, it is asking for which service is going to use the “IAM role” we are about to create, and because we want the role to be for “EC2“, we have selected the same as can be seen from the picture below.

After selecting the appropriate options, click on the “Next: Permissions” icon.

Select the service for the IAM role
Select the service for the IAM role

Attach Permissions Policies

It is time to specify what level of permission is going to be there for the “IAM role” we are creating.

In this case, we are creating the “IAM role” to be having the “Full AdministratorAccess. We are doing this because we are only this for demo purposes, but for production level implementation keep one thing in mind, never give full access to an IAM role.

Attach a permission policy to the IAM role
Attach a permission policy to the IAM role

Add Tags

On this screen, provide some tags for your “IAM role”, tags help in differentiating one thing from others. They work as some “metadata” for a particular thing.

Give tags to the IAM role Set-up EC2 with IAM roles
Give tags to the IAM role

Review – Set-up EC2 with IAM roles

Before committing the final changes to the “IAM role“, make sure you double check them on this review screen and then hit “Create role“.

Review the details for IAM role and Create it
Review the details for IAM role and Create it

Step 3: Create an EC2 Instance

Because we are doing this post the “Set-up EC2 with IAM roles“, it is important for us to have an “EC2 Instance” up and running. So, for that, we have created an “EC2 Instance” with the name “Testing Instance” as can be seen below.

To learn more about EC2, follow -> Create an instance on AWS (complete guide)

Set-up EC2 with IAM roles
Create a new EC2 instance

Step 4: Attach an “IAM role” to an “EC2 Instance”

This is the most important step of this post, in this, we are going to “attach the IAM role (CompleteAccess)” we have created in “Step 2” to our “EC2 Instance (Testing Instance)” we have created in “Step 3“.

To do that, select the “EC2 Instance” as we did by selecting our “Testing Instance“, after that go to the “Actions” tab and from the “drop-down menu” go to the “Instance settings” again a new menu will be shown, from there look for “Attach/Replace IAM Role“, and select it, for reference check below.

Attach an IAM role to an EC2 intance from dashboard
Attach an IAM role to an EC2 intance from dashboard

During the attachment, a screen as shown below be shown by the dashboard, select the “IAM role” from the drop-down options and then hit “Apply“.

Select the IAM role and apply
Select the IAM role and apply

After that, you will be seeing a message stating “IAM role operation succeeded“.

Set-up EC2 with IAM roles
IAM role operation succeeded

And to confirm the IAM role attachment, if you select the “EC2 Instance” and check the metadata, you will see the “IAM role” has been successfully attached, in our case, “IAM role = CompleteAccess” is attached properly.

Now it is showing the IAM role just attached
Now it is showing the IAM role just attached

Step 5: Login into the EC2 Instance

The “Testing Instance” we have created in the “Step 3” is up and running. It is time to login into it also check whether the “IAM role” attached in “Step 4” to it, is working perfectly or not.

If you want to learn more about logging in into the EC2 Instance, follow -> Login into EC2 instance using private pem key on Linux

From the screen below, you can see that we have successfully logged in.

Login into the EC2 instance
Login into the EC2 instance

On this point, firstly check whether the “.aws” directory is there or not, and from the screenshot, below we can confirm that in case of the “IAM role” it is not present, as a result, more security.

No hidden aws directory
No hidden aws directory

Step 6: Use AWS Services

In order to start using the aws services from the command line, we have to first install the “aws cli” on the machine. To do that, use the command below to install “aws cli” if you are using a “Debian based Linux” distribution.

$ sudo apt install awslcli -y
Install awscli on ubuntu 18.04
Install awscli on ubuntu 18.04

Now, for testing purposes, we have tried accessing the “S3 service” and listing the buckets stored, and we are successfully able to do that, as shown below.

awscli is still working
awscli is still working

More on AWS:

Comment here