Allow passing an IAM Instance Profile to ec2.Instance

[sagiba]

Currently ec2.Instance is creating the IamProfile internally, it isn't possible to inject a pre-constructed one. It is possible to inject the a role, but when re-using the same role for several instances, a separate instance profile is being created for each of them.

aws-cdk/packages/@aws-cdk/aws-ec2/lib/instance.ts

Line 277 in bd616d4

const iamProfile = new iam.CfnInstanceProfile(this, 'InstanceProfile', {

[sagiba]

Workaround:

const instance = new ec2.Instance(...);
instance.node.tryRemoveChild('InstanceProfile');
instance.instance.iamInstanceProfile = otherInstance.instance.iamInstanceProfile;

[andrestone]

Is having a context provider to fetch the InstanceProfile for the Role a good solution?

[namedgraph]

And how about EC2Cluster, how do I specify an instance profile for it?

[Jacco]

@rix0rrr I would like to implement this. Would be my first contribution so I need a little guidance.

My assumptions so far:
CfnInstanceProfile should not be exposed on the InstanceProps / Instance
So I make an InstanceProfile in the aws_iam module
role and instanceProfile cannot both be specified in InstanceProps -> error
importing InstanceProfile should be possible using fromInstanceProfileName, fromInstanceProfileArn (path?)
IInstanceProfile is not necessary because it will have no extra methods
An imported InstanceProfile returns an error when accessing roles?

[ianbruton]

I am not sure if we have the same use case, but I ran into this issue when trying to automate a host to connect to through AWS Session Manager. For this use case the instance needs to have an instance profile that contains the policy "AmazonSSMManagedInstanceCore". So I create a role, and attach that policy to it, then attach that role to the instance.

This code works for me, perhaps you will also find it useful:

import * as cdk from "aws-cdk-lib";
import * as ec2 from "aws-cdk-lib/aws-ec2";
import * as iam from "aws-cdk-lib/aws-iam";
import { Construct } from "constructs";

export interface BHStackProps extends cdk.StackProps {
  readonly vpc: ec2.Vpc;
  readonly sg: ec2.SecurityGroup;
}

export class BHStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props: BHStackProps) {
    super(scope, id, props);

    var vpc = props.vpc;

    // Create reference to desired policy, in this case I want to set up a host that I can connect to through AWS Session Manager
    var instanceProfile = iam.ManagedPolicy.fromAwsManagedPolicyName("AmazonSSMManagedInstanceCore");

    // Create the role resource
    const role = new iam.Role(this, "bastion-role", {
      assumedBy: new iam.ServicePrincipal("ec2.amazonaws.com"),
    });

    // Add the policy to the role
    role.addManagedPolicy(instanceProfile);

    // Create host sec group
    const bhSg = new ec2.SecurityGroup(this, "bh-sg", {
      vpc: vpc,
      allowAllOutbound: true,
      securityGroupName: "bh-sg",
    });

    // Create host resource with role and sec group
    const host = new ec2.Instance(this, "bastionHost", {
      vpc: vpc,
      securityGroup: bhSg,
      instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE3, ec2.InstanceSize.MICRO),
      machineImage: new ec2.AmazonLinuxImage({
        generation: ec2.AmazonLinuxGeneration.AMAZON_LINUX_2,
      }),
      blockDevices: [
        {
          deviceName: "/dev/sda1",
          volume: ec2.BlockDeviceVolume.ebs(10),
        },
      ],
      role: role,
    });

  }
}

[github-actions]

This issue has received a significant amount of attention so we are automatically upgrading its priority. A member of the community will see the re-prioritization and provide an update on the issue.

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.