Let’s go through the process of creating an IAM role with read only permissions to IAM resources, and attaching that role to an EC2 instance. Screenshots for key steps are included.

Prerequisites:

• AWS CLI configured on your local system
• An existing EC2 instance to attach the IAM role to 

Step 1 – Create IAM role

Use your favorite text editor and create the file “ec2-trust-policy.json” with the content below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Principal": {
                "Service": [
                    "ec2.amazonaws.com"
                ]
            }
        }
    ]
}

Use the create-role command to create a role called “myIAMAdminRole” and allow EC2 instances to assume it:

aws iam create-role --role-name myIAMAdminRole --assume-role-policy-document file://ec2-trust-policy.json

Step 2 – Attach IAM Managed Policy 

Next we’ll attach the IAM Read Only Access managed policy using the attach-role-policy command:

aws iam attach-role-policy --role-name myIAMAdminRole --policy-arn arn:aws:iam::aws:policy/IAMReadOnlyAccess

Step 3 – Create & Associate Instance Profile

Now we need to create an instance profile and associate it with our EC2 instance:

aws iam create-instance-profile --instance-profile-name myIAMAdminProfile

aws iam add-role-to-instance-profile --role-name myIAMAdminRole --instance-profile-name myIAMAdminProfile 

aws ec2 associate-iam-instance-profile --instance-id i-0afxxxxx123 --iam-instance-profile Name="myIAMAdminProfile"

Note: Make sure to substitute “i-0afxxxxx123″ for the appropriate ec2 instance ID in your environment.

Confirm Attachment

Finally, we can validate that the IAM role is now attached in the AWS Console:  

If you have any questions or require assistance, we are actively seeking strategic partnerships and would welcome the opportunity to collaborate. Don’t hesitate to contact us!