Amazon is a fantastic company and one of the pioneers of cloud computing, forging the path which many vendors have followed. They have recently rectified something that has long been a bugbear of mine - the ability to retrospectively add an IAM role to a running instance in AWS. For several years, if an instance was launched in AWS and during the initial configuration an IAM role was not defined, the only option available was to stop/terminate the instance and launch another, however, this has now changed!
This situation is something that the loadbalancer.org support team encounter from time-to-time, users launch the 30-day free trial in AWS and in the excitement to try this fantastic product (I am of course biased), they sometimes forget to define the IAM role. While the Loadbalancer.org AWS offering can operate without an IAM role configured, doing so prevents several very useful features such as being able to add/remove/associate/disassociate EIPs in the WebUI and utilising the HA functionality, among others. The missing IAM role issue can be a pain, particularly for trial users because it doesn't matter if the trial is 2 or 29 days old, once the instance is terminated, that is the trial over and obviously if the instance was fully configured this can be frustrating.
So, on to the massive improvement which Amazon has recently delivered.... drum roll please It is now possible to retrospectively define an IAM role for a running instance without having to delete it and start again.
Looking at the AWS console, if you see the IAM entry below, then there is no IAM role associated with the instance.
To rectify this, simply follow the instructions below and voila, problem solved!
To do this you will need the AWS CLI installed and configured and to have created the IAM role in AWS which will be used for the Loadbalancer.org instance. Please refer the links which are also included as references below. Assuming you have done all of these things, here comes the magic!
Using the AWS CLI to issue the command and armed with the AWS instance ID for the Loadbalancer.org instance and the IAM Role name which you wish to associate with the AWS instance, it can be achieved like so:
aws ec2 associate-iam-instance-profile --instance-id [AWS_INSTANCE_ID] --iam-instance-profile Name=[IAM_ROLE_NAME]
So for me, I ran:
aws ec2 associate-iam-instance-profile --instance-id i-085e86a2a08ac8f8d --iam-instance-profile Name=LB_IAM
Receiving the following output, indicating the execution was successful:
{
"IamInstanceProfileAssociation": {
"AssociationId": "iip-assoc-0e99acfd9bfc588a6",
"InstanceId": "i-085e86a2a08ac8f8d",
"IamInstanceProfile": {
"Arn": "arn:aws:iam::440524744141:instance-profile/LB_IAM",
"Id": "AIPAIIHQRNMSZSGXQP7GK"
},
"State": "associating"
}
}
So, a quick check of the AWS console again, we can see that the IAM role has now been successfully associated with the instance.
Assuming this has all gone to plan, the final step is to reboot the AWS instance. Although the IAM role is shown in the console as being associated, a reboot is required for it to be activated. After doing this, you will be able to utilise all the features of the Loadbalancer.org instance.
If you have any questions or issues, contact the Loadbalancer.org support team using support@loadbalancer.org and the team will be happy to assist.
To find out more about Loadbalancer.org's Enterprise AWS Appliance or to start your free trial, visit our product page
References:
- How to install the AWS CLI - http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-set-up.html
- How to configure the AWS CLI - http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html
- How to configure the IAM role for use with a Loadbalancer.org instance - http://pdfs.loadbalancer.org/quickstartguideEntAWSv8.pdf#page=62
- Loadbalancer.org AWS Quick Start Guide - http://pdfs.loadbalancer.org/quickstartguideEntAWSv8.pdf