My previous post talked about creating AWS IAM Instance Profiles so you don’t have to save keys on the instances. In this post, we’ll look at using Ansible to launch EC2 instances with IAM Instance Profiles attached to them (you don’t want to do this manually forever, do you?).
(You cannot attach IAM Instance Profiles to existing instances, unfortunately).
Assuming that you already have in place an IAM user that you’ve dedicated for use by Ansible, let’s head to the next step. In order for this IAM user to attach IAM Instance Profiles to EC2 instances, the user will have to be setup with “PassRole” privileges.
Head to the AWS Console and navigate to Identity and Access Management (IAM). Hit the “Users” tab and click on the user, as discussed above.
Then, hit the “Permissions” tab and scroll down to “Inline Policies”, and hit “click here”.
In the “Set Permissions” page, select “Policy Generator” and hit Select.
In the AWS Service drop down, select AWS IAM, and then select “PassRole” from the Actions drop down. Paste in the ARN of the role created from the previous blog post.
Click “Add Statement” and head to the next screen for a Summary.
Hit Apply Policy to finish.
Your Ansible playbooks can now create EC2 instances with IAM Instance Profiles attached to them. You’re done!