I am trying to access SQS from spring boot app running on EC2 instance. Both the consumer and SQS queue will be on the same AWS account. I was told that I should add an instance profile to EC2 instance to access SQS. What is the difference between role and instance profile in this case? Wouldn't a role with appropriate policy be sufficient?
An instance profile can contain only one IAM role, although a role can be included in multiple instance profiles. This limit of one role per instance profile cannot be increased. You can remove the existing role and then add a different role to an instance profile.
Use IAM Roles/Instance Profiles instead of IAM Access Keys to appropriately grant access permissions to any application that perform AWS API requests running on your Amazon EC2 instances. With IAM roles you can avoid sharing long-term credentials and protect your instances against unauthorized access.
When you use a role, you don't have to distribute long-term credentials (such as a user name and password or access keys) to an Amazon EC2 instance. Instead, the role supplies temporary permissions that applications can use when they make calls to other AWS resources.
An Instance Profile is a container for a single IAM Role.
A typical convention is to create an IAM Role and an Instance Profile of the same name for clarity.
An EC2 Instance cannot be assigned a Role directly, but it can be assigned an Instance Profile which contains a Role.
The benefits of using an Instance Profile is that you don't need to manage an AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
. Your application no longer needs to worry about how to securely store and access that information.
Using Instance Profiles
IAM Roles for Amazon EC2
We cannot attach a role directly to an EC2 instance, thats why we have to use an instance profile which act as a container for a role. An instance profile can contain only one IAM role, although a role can be included in multiple instance profiles.
EC2 will get the permission of the role which is part of the instance profile.
The limit of one role per instance profile cannot be increased. You can remove the existing role and then add a different role to an instance profile.
If you use the AWS Management Console to create a role for Amazon EC2, the console automatically creates an instance profile and gives it the same name as the role.
while using cli creating roles and instance profiles are separate actions. Because roles and instance profiles can have different names.
more informations are available here https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With