Setting Up Ec2 Instance Profiles
Attach an IAM instance profile to EC2 so your app calls AWS APIs with temporary credentials instead of hard-coded keys.
Overview
Setting Up EC2 Instance Profiles is an agent skill most often used in Operate (also Build integrations) that configures IAM roles and instance profiles so EC2 workloads call AWS services without embedded credentials.
Install
npx skills add https://github.com/aws/agent-toolkit-for-aws --skill setting-up-ec2-instance-profilesWhat is this skill?
- Stepwise SOP: collect instance_id, region, and services_needed before any AWS changes
- Maps required AWS service access (e.g. s3,dynamodb,sqs) into IAM role design
- Creates or reuses a named IAM role and binds it via an EC2 instance profile
- Replaces embedded credentials with role-based temporary credentials on the instance
- Optional role_name default pattern: {instance_id}-role
- 4 required parameters: instance_id, region, services_needed, optional role_name
Adoption & trust: 935 installs on skills.sh; 819 GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
Your EC2 app needs AWS APIs but you are stuck using static keys or unclear which IAM permissions and profile attachment steps to run safely.
Who is it for?
Solo builders on EC2 who know instance ID, region, and which AWS services the app must reach and want a guided IAM setup.
Skip if: Local-only development without EC2, workloads that should use ECS task roles or Lambda execution roles instead, or cases where you already have a validated instance profile and only need application code changes.
When should I use this skill?
You need an EC2 instance to call AWS services and want IAM role + instance profile setup instead of embedded credentials.
What do I get? / Deliverables
After the SOP, the target instance assumes an IAM role via an instance profile scoped to the services you listed, ready for app code using the default credential chain.
- IAM role scoped to listed services
- Instance profile attached to the target EC2 instance
- Verified credential chain for the workload
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Canonical shelf is Operate/infra because the SOP secures production EC2 access patterns (roles, profiles, service permissions). Instance profiles and IAM wiring are core infrastructure configuration on running or soon-to-ship hosts.
Where it fits
Wire a new API service on EC2 to read S3 and write DynamoDB before the first deploy.
Replace leaked or broad IAM user keys with a scoped instance profile before launch.
Add SQS or CloudWatch permissions to a running instance without redeploying secrets.
How it compares
Use this procedural IAM SOP instead of pasting root or IAM user keys into .env on the instance.
Common Questions / FAQ
Who is setting-up-ec2-instance-profiles for?
Indie and solo builders running apps on EC2 who need secure, scoped AWS API access without long-lived access keys in the codebase.
When should I use setting-up-ec2-instance-profiles?
During Operate when fixing production permissions, when onboarding a new EC2 host in Build integrations, or before Ship when hardening launch infrastructure—any time the instance must call listed AWS services via IAM roles.
Is setting-up-ec2-instance-profiles safe to install?
Review the Security Audits panel on this Prism page and treat any IAM or EC2 changes as production-impacting; run with least privilege and confirm instance_id and region before applying.
SKILL.md
READMESKILL.md - Setting Up Ec2 Instance Profiles
# EC2 Instance Profile Setup ## Overview This SOP guides you through the complete process of granting an EC2 instance permissions to call AWS services securely using IAM roles and instance profiles. Instead of embedding AWS credentials in your application code, instance profiles allow EC2 instances to assume IAM roles and obtain temporary credentials automatically. This SOP helps identify required permissions, creates or uses an existing IAM role, sets up the instance profile, and attaches it to the target EC2 instance. ## Parameters Prompt the user in a single message to provide all required parameters at once. Clearly list the required parameters and their descriptions, and include any optional parameters with their default values. Do not proceed until you have received and confirmed all required parameters. If any required parameter is missing or unclear, you MUST explicitly request the missing information before moving forward. - **instance_id** (required): The ID of the EC2 instance to configure (e.g., "i-1234567890abcdef0") - **region** (required): The AWS region where the instance is running (e.g., "us-east-1", "eu-west-1") - **services_needed** (required): Comma-separated list of AWS services the instance needs to access (e.g., "s3,dynamodb,sqs", "s3,lambda,cloudwatch") - **role_name** (optional): Name for the IAM role to create or reuse (default: "{instance_id}-role") Only proceed to the steps below if you have all required information. ## Steps ### 1. Verify Dependencies Check for required tools and warn the user if any are missing. **Constraints:** - You MUST verify the following tools are available in your context: - call_aws - You MUST ONLY check for tool existence and MUST NOT attempt to run the tools because running tools during verification could cause unintended side effects, consume resources unnecessarily, or trigger actions before the user is ready - You MUST inform the user about any missing tools with a clear message - You MUST ask if the user wants to proceed anyway despite missing tools - You MUST respect the user's decision to proceed or abort ### 2. Verify EC2 Instance Exists Confirm the target EC2 instance exists and retrieve its current configuration. **Constraints:** - You MUST verify the instance exists using: `aws ec2 describe-instances --instance-ids ${instance_id} --region ${region}` - You MUST check if the instance already has an IAM instance profile attached by examining the `IamInstanceProfile` field in the response - You MUST extract the instance name from tags (if available) for better identification - You MUST inform the user of the instance's current state (running, stopped, etc.) - You MUST warn the user if the instance already has an instance profile attached and ask if they want to replace it - You MUST handle the case where the instance does not exist and provide a clear error message - You MUST retain the `describe-instances` output for reuse in later steps (e.g., to reference association IDs in Step 8) ### 3. Check for Existing IAM Role Determine whether to create a new IAM role or reuse an existing one, then verify the selected option. **Constraints:** - You MUST ask the user if they want to reuse an existing IAM role or create a new one - You MUST require the user to provide the role name if they choose to reuse an existing role and one was not already supplied - If the user opts to create a new role, you MUST proceed to Step 4 and skip the remaining checks in this step - If the user opts to reuse an existing role: - You MUST verify the role exists using: `aws iam get-role --role-name ${role_name} --region ${region}` - You MUST retrieve the role's trust policy to verify it allows EC2 service to assume it - You MUST check the trust policy contains: ```json { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ``` - You MUST list all policies attached to the r