How to add an IAM role to an existing instance in AWS?

Question

I would like to add an IAM Role to an existing EC2 instance in AWS. I tried using AWS CLI. However, I could not find a way to do that.

Answer 1

As of AWS CLI v1.11.46, which was released just yesterday (see the CHANGELOG file on GitHub), you can now attach an IAM role to an existing EC2 instance that was originally launched without an IAM role using the associate-iam-instance-profile command.

You can also replace the currently attached IAM role for a running instance using replace-iam-instance-profile-association.

For more details, see the following article on AWS Security Blog:

Attach an AWS IAM Role to an Existing Amazon EC2 Instance by Using the AWS CLI.

UPDATE

As of Feb 22, 2017, you can attach/replace an IAM role to an existing EC2 instance from the EC2 console as well. See this blog post for more details.

Answer 2

if you are getting "The association is not the active association" error when trying to attach a role to a existing EC2 instance then you should:

1. detach the existing role from the existing EC2 instance.
2. attach a new role to the existing EC2 instance.

once you do that, you will be able to attach a role to an existing EC2 instance.