Skip to main content
Welcome! In this guide, we cover how to use IAM roles to securely grant permissions to your EC2 instances without embedding long-term access keys.

Why You Need IAM Roles

Managing static AWS access keys on EC2 instances poses several operational and security challenges:
  • Securely provisioning credentials to every new instance.
  • Rotating keys when they expire or are compromised.
  • Preventing API request failures due to missing or revoked keys.
The image is a diagram showing AWS Cloud components, including storage and processing instances, with connections indicating interactions between them. It features spot and auto-scaled instances.
Static credentials don’t scale in dynamic environments. IAM roles deliver temporary credentials automatically, solving distribution and rotation issues.
Instances with IAM roles receive short-lived credentials from the metadata service. This eliminates the need to store access keys on disk.

What Is an IAM Role?

An IAM role is an AWS identity with attached permissions defined by IAM policies. Unlike an IAM user, a role:
  • Isn’t tied to a specific individual.
  • Has no long-term credentials (no static keys or passwords).
  • Can be assumed by authorized entities (EC2, Lambda, ECS, etc.).
When you launch an EC2 instance, attach a role—and AWS will provision temporary credentials (AccessKeyId, SecretAccessKey, Token) via the instance metadata service.
The image illustrates the working of an AWS IAM role, showing a flow from a document icon to various AWS service icons, including a bucket and other service symbols.

EC2 Instance Metadata Service

EC2 instance metadata provides instance information and temporary credentials at a fixed IP address. To list all metadata categories: 
curl http://169.254.169.254/latest/meta-data/
Sample output:
  • ami-id/
  • instance-id/
  • iam/
  • instance-action/
Enable and enforce IMDSv2 on your instances to protect against SSRF attacks. See AWS IMDSv2 documentation.

Retrieving Temporary Credentials

Assuming your role is named s3access, fetch credentials with: 
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access
Example response: 
{
  "Code" : "Success",
  "LastUpdated" : "2023-06-15T12:00:00Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "ASIAEXAMPLE",
  "SecretAccessKey" : "wJalrExampleKEY",
  "Token" : "IQoJb3JpZ2luX2VjExampleToken",
  "Expiration" : "2023-06-15T18:00:00Z"
}
These credentials expire automatically and cannot be reused elsewhere.

Using AWS CLI with IAM Roles

With the IAM role attached, the AWS CLI handles credential retrieval and signing transparently. For example, list an S3 bucket: 
aws s3 ls s3://example-bucket
Under the hood:
  1. CLI requests temporary credentials from the metadata service.
  2. It uses those credentials to sign API calls.
  3. Results (e.g., bucket contents) are returned.
The image is a diagram illustrating the relationship between AWS EC2 instances and IAM roles, featuring icons representing AWS services like S3 and IAM.

Best Practices

PracticeRecommendation
Use IAM RolesAvoid embedding keys; assign minimal privileges to roles.
Enforce IMDSv2Require session tokens and mitigate SSRF risks.
Rotate PoliciesUpdate IAM policies regularly to follow least-privilege principles.
Monitor with CloudTrailTrack IAM role assumptions and API calls for auditing and compliance.

Summary

  • IAM roles provide temporary, auto-rotated credentials scoped to your EC2 instances.
  • A single EC2 instance can hold one IAM role, while a role can attach to multiple instances.
  • AWS SDKs, CLI, and tools automatically retrieve metadata credentials without manual intervention.
The image is a summary of EC2 IAM roles, highlighting that IAM role credentials are temporary, work only from EC2 instances, an EC2 instance is attached to a single role, and a role can be attached to multiple EC2 instances.

Watch Video

Practice Lab