Access SQS from EC2 - Instance Profile vs Role

Question

I am trying to access SQS from spring boot app running on EC2 instance. Both the consumer and SQS queue will be on the same AWS account. I was told that I should add an instance profile to EC2 instance to access SQS. What is the difference between role and instance profile in this case? Wouldn't a role with appropriate policy be sufficient?

Answer 1

An Instance Profile is a container for a single IAM Role.

A typical convention is to create an IAM Role and an Instance Profile of the same name for clarity.

An EC2 Instance cannot be assigned a Role directly, but it can be assigned an Instance Profile which contains a Role.

The benefits of using an Instance Profile is that you don't need to manage an AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. Your application no longer needs to worry about how to securely store and access that information.

Using Instance Profiles

IAM Roles for Amazon EC2

Answer 2

We cannot attach a role directly to an EC2 instance, thats why we have to use an instance profile which act as a container for a role. An instance profile can contain only one IAM role, although a role can be included in multiple instance profiles.

EC2 will get the permission of the role which is part of the instance profile.

The limit of one role per instance profile cannot be increased. You can remove the existing role and then add a different role to an instance profile.

If you use the AWS Management Console to create a role for Amazon EC2, the console automatically creates an instance profile and gives it the same name as the role.

while using cli creating roles and instance profiles are separate actions. Because roles and instance profiles can have different names.

more informations are available here https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html