Prerequisites Configuring a profile for Amazon EC2 metadata

Using Amazon EC2 instance metadata as credentials in the AWS CLI

When you run the AWS CLI from within an Amazon Elastic Compute Cloud (Amazon EC2) instance, you can simplify providing credentials to your commands. Each Amazon EC2 instance contains metadata that the AWS CLI can directly query for temporary credentials. When an IAM role is attached to the instance, the AWS CLI automatically and securely retrieves the credentials from the instance metadata.

To disable this service, use the AWS_EC2_METADATA_DISABLED environment variable.

Topics

Prerequisites
Configuring a profile for Amazon EC2 metadata

Prerequisites

To use Amazon EC2 credentials with the AWS CLI, you need to complete the following:

Install and configure the AWS CLI. For more information, see Installing or updating to the latest version of the AWS CLI and Authentication and access credentials for the AWS CLI.
You understand configuration files and named profiles. For more information, see Configuration and credential file settings in the AWS CLI.
You've created an AWS Identity and Access Management (IAM) role that has access to the resources needed, and attached that role to the Amazon EC2 instance when you launch it. For more information, see IAM policies for Amazon EC2 in the Amazon EC2 User Guide and Granting Applications That Run on Amazon EC2 Instances Access to AWS Resources in the IAM User Guide.

Configuring a profile for Amazon EC2 metadata

To specify that you want to use the credentials available in the hosting Amazon EC2 instance profile, use the following syntax in the named profile in your configuration file. See the following steps for more instructions.


[profile profilename]
role_arn = arn:aws:iam::123456789012:role/rolename
credential_source = Ec2InstanceMetadata
region = region

Create a profile in your configuration file.
```
[profile profilename]
```
Add your IAM arn role that has access to the resources needed.
```
role_arn = arn:aws:iam::123456789012:role/rolename
```
Specify Ec2InstanceMetadata as your credential source.
```
credential_source = Ec2InstanceMetadata
```
Set your Region.
```
region = region
```

Example

The following example assumes the marketingadminrole role and uses the us-west-2 Region in an Amazon EC2 instance profile named marketingadmin.


[profile marketingadmin]
role_arn = arn:aws:iam::123456789012:role/marketingadminrole
credential_source = Ec2InstanceMetadata
region = us-west-2

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

IAM users

External credentials