Troubleshoot IAM and Amazon EC2 - AWS Identity and Access Management
When I try to launch an instance, I don't see the role in the Amazon EC2 console IAM Role listThe credentials on my instance are for the wrong roleWhen I attempt to call the AddRoleToInstanceProfile, I get an AccessDenied errorAmazon EC2: When I try to launch an instance with a role, I get an AccessDenied errorI can't access the temporary security credentials on my EC2 instanceWhat do the errors from the info document in the IAM subtree mean?

Troubleshoot IAM and Amazon EC2

The following information can help you troubleshoot IAM issues with Amazon EC2.

When I try to launch an instance, I don't see the role in the Amazon EC2 console IAM Role list

Check the following:

  • If you are signed in as an IAM user, verify that you have permission to call ListInstanceProfiles. For information about the permissions necessary to work with roles, see Permissions required for using roles with Amazon EC2. For information about adding permissions to a user, see Manage IAM policies.

    If you cannot modify your own permissions, you must contact an administrator who can work with IAM in order to update your permissions.

  • If you created a role using the IAM CLI or API, verify the following:

    • You created an instance profile and added the role to that instance profile.

    • You used the same name for the role and the instance profile. If you name your role and instance profile differently, you won't see the correct role name in the Amazon EC2 console.

    The IAM Role list in the Amazon EC2 console lists the names of instance profiles, not the names of roles. You will have to select the name of the instance profile that contains the role you want. For details about instance profiles, see Use instance profiles.

    Note

    If you use the IAM console to create roles, you don't need to work with instance profiles. For each role that you create in the IAM console, an instance profile is created with the same name as the role, and the role is automatically added to that instance profile. An instance profile can contain only one IAM role, and that limit cannot be increased.

The credentials on my instance are for the wrong role

The role in the instance profile might have been replaced recently. If so, your application will need to wait for the next automatically scheduled credential rotation before credentials for your role become available.

To force the change, you must disassociate the instance profile and then associate the instance profile, or you can stop your instance and then restart it.

When I attempt to call the AddRoleToInstanceProfile, I get an AccessDenied error

If you are making requests as an IAM user, verify that you have the following permissions:

  • iam:AddRoleToInstanceProfile with the resource matching the instance profile ARN (for example, arn:aws:iam::999999999999:instance-profile/ExampleInstanceProfile).

For more information about the permissions necessary to work with roles, see How do I get started?. For information about adding permissions to a user, see Manage IAM policies.

Amazon EC2: When I try to launch an instance with a role, I get an AccessDenied error

Check the following:

  • Launch an instance without an instance profile. This will help ensure that the problem is limited to IAM roles for Amazon EC2 instances.

  • If you are making requests as an IAM user, verify that you have the following permissions:

    • ec2:RunInstances with a wildcard resource ("*")

    • iam:PassRole with the resource matching the role ARN (for example, arn:aws:iam::999999999999:role/ExampleRoleName)

  • Call the IAM GetInstanceProfile action to ensure that you are using a valid instance profile name or a valid instance profile ARN. For more information, see Using IAM roles with Amazon EC2 instances.

  • Call the IAM GetInstanceProfile action to ensure that the instance profile has a role. Empty instance profiles will fail with an AccessDenied error. For more information about creating a role, see IAM role creation.

For more information about the permissions necessary to work with roles, see see How do I get started?. For information about adding permissions to a user, see Manage IAM policies.

I can't access the temporary security credentials on my EC2 instance

To access temporary security credentials on your EC2 instance, you must first use the IAM console to create a role. Then you launch an EC2 instance that uses that role and examine the running instance. For more information, see How Do I Get Started? in Use an IAM role to grant permissions to applications running on Amazon EC2 instances.

If you still can't access your temporary security credentials on your EC2 instance, check the following:

  • Can you access another part of the Instance Metadata Service (IMDS)? If not, check that you have no firewall rules blocking access to requests to the IMDS.

    [ec2-user@domU-12-31-39-0A-8D-DE ~]$ GET http://169.254.169.254/latest/meta-data/hostname; echo

  • Does the iam subtree of the IMDS exist? If not, verify that your instance has an IAM instance profile associated with it by calling the EC2 DescribeInstances API operation or using the aws ec2 describe-instances CLI command. 

    [ec2-user@domU-12-31-39-0A-8D-DE ~]$ GET http://169.254.169.254/latest/meta-data/iam; echo

  • Check the info document in the IAM subtree for an error. If you have an error, see What do the errors from the info document in the IAM subtree mean? for more information.

    [ec2-user@domU-12-31-39-0A-8D-DE ~]$ GET http://169.254.169.254/latest/meta-data/iam/info; echo

What do the errors from the info document in the IAM subtree mean?

The iam/info document indicates "Code":"InstanceProfileNotFound"

Your IAM instance profile has been deleted and Amazon EC2 can no longer provide credentials to your instance. You must attach a valid instance profile to your Amazon EC2 instance.

If an instance profile with that name exists, check that the instance profile wasn't deleted and another was created with the same name:

  1. Call the IAM GetInstanceProfile operation to get the InstanceProfileId.

  2. Call the Amazon EC2 DescribeInstances operation to get the IamInstanceProfileId for the instance.

  3. Verify that the InstanceProfileId from the IAM operation matches the IamInstanceProfileId from the Amazon EC2 operation.

If the IDs are different, then the instance profile attached to your instances is no longer valid. You must attach a valid instance profile to the instance.

The iam/info document indicates a success but indicates "Message":"Instance Profile does not contain a role..."

The role has been removed from the instance profile by the IAM RemoveRoleFromInstanceProfile action. You can use the IAM AddRoleToInstanceProfile action to attach a role to the instance profile. Your application will need to wait until the next scheduled refresh to access the credentials for the role.

To force the change, you must disassociate the instance profile and then associate the instance profile, or you can stop your instance and then restart it.

The iam/security-credentials/[role-name] document indicates "Code":"AssumeRoleUnauthorizedAccess"

Amazon EC2 does not have permission to assume the role. Permission to assume the role is controlled by the trust policy attached to the role, like the example that follows. Use the IAM UpdateAssumeRolePolicy API to update the trust policy. 

{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"Service": ["ec2.amazonaws.com"]},"Action": ["sts:AssumeRole"]}]}

Your application will need to wait until the next automatically scheduled refresh to access the credentials for the role.

To force the change, you must disassociate the instance profile and then associate the instance profile, or you can stop your instance and then restart it.