0

AWS CLI requests "ec2 describe-instances" and "ec2 describe-iam-instance-profile-associations" include instance profile in the "IamInstanceProfile" property.

This includes ARN, for example:

arn:aws:iam::123:instance-profile/AmazonSSMRoleForInstancesQuickSetup

In such a case the last segment, "AmazonSSMRoleForInstancesQuickSetup" in this example, is the IAM role name. This is also suggested in answers to multiple existing questions:

But sometimes the ARN in the instance profile will look like this:

arn:aws:iam::123:instance-profile/eks-ab13cc88-bc13-13bc-acdc-1234567890ab

And the last part is not a role name anymore - actually, it seems to be "Auto Scaling Group name". AWS web interface does show the assigned IAM role in both cases inside the instance properties.

How could the role name be reliably obtained for EC2 instances in all cases using AWS CLI?

Improve this question

1 Answer 1

Reset to default
0

Big thanks to @[email protected] - quoting their response here, will delete if they post themselves.

The EC2 instance profile is a container that holds a role. By default, a role will be created that matches the name of the profile, but they could be different.

I think you need to get the profile name and use it to call aws iam get-instance-profile --instance-profile-name <value>. In the response you want InstanceProfile.Roles[].RoleArn.

https://docs.aws.amazon.com/cli/latest/reference/iam/get-instance-profile.html https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .