I have a reasonable level of understanding of the relationship between AWS Identity and Access Management (IAM) policy, role, user, and group. I have also implemented the concept of assumed-role and the trusted and trusting account association. You can read more about that at –Creating IAM assume-role relationship between two AWS accounts. So, when I heard of Amazon EC2s being able to assume a role, I was intrigued. Why would I want a virtual machine to assume a role? What is the use case? I did not have to wait too long. I came across two such use cases where I required just that.
Before I explored it, the concept was -assign a set of permissions to an Amazon EC2 instance to carry out a specific set of activities. Hence I created an IAM policy file with a set of permissions/rules and assigned it to an IAM role, which was then associated with an IAM instance profile that was then assumed by an Amazon EC2 instance. The Amazon EC2 instance was then able to perform a set of actions listed in the AWS IAM policy file. If you are new to this concept, please refer to the AWS-Docs link.
I applied the nuances of this concept on a use case I was working on earlier where I created an Amazon EC2 instance in an Amazon Virtual Private Cloud using Terraform. You can find the code at: add-iam-role
I classified this process into five easy steps.
Step 1: Create a policy file
The policy file is the blueprint of a list of actions and AWS resources on which an entity can apply those actions. Hence, any entity that is associated with a policy acquires the capability mentioned in the policy file. In this case, the entity has two sets of permissions: (i) the ability to read the parameters mentioned in the parameter store parameter/dev, and (ii) the ability to list and download the objects in the bucket and folder skundu-proj3-3p-installers/download/
Step 2: Create a role that can be assumed by an Amazon EC2 instance
A role has two policies: (i) trust policy: which specifies who or what can assume the role, and (ii) permission policy: which specifies which actions are available and on which AWS resources. Below is an image of a trust policy associated with a role. The permission policy is inherited from the IAM policy file (Step 1) once associated with the IAM role.
Step 3: Attach the role to the policy file
By attaching the policy to the IAM role, I extended whatever entity assumes this role with the permissions listed under the policy (step 1). Therefore, this is the permission policy of the IAM role.
Step 4: Create an instance profile
IAM instance profile is the entity that allows IAM role attachment with an Amazon EC2 instance. Conceptually, an instance profile acts like a vessel that contains only one IAM role that an Amazon EC2 instance can assume.
Step 5: Attach the instance profile to the EC2 instance
Finally, the IAM instance profile that carries the IAM role is attached to the Amazon EC2 instance. The Amazon EC2 instance then inherits the permission policy associated with the IAM role (step 3), which the IAM role inherited from the attached IAM policy (step 1).
After making all these changes, I executed the terraform apply command, which ran successfully. Then, I confirmed that the Amazon EC2 instance had the appropriate IAM role attached on the AWS console.
Generally, attaching an IAM role to an Amazon EC2 instance is part of a more extensive use case. In my case, I required a secure approach to accessing sensitive credentials, and attaching an IAM role with that capability to an Amazon EC2 instance addressed that.
I hope you found this note useful. I would be happy to answer any questions that you might have. Please use the comments section for the same.
My Devops Journal 
4 thoughts on “Attach IAM role to Amazon EC2 instance using Terraform”