Fork me on GitHub

I can use instance profiles so that, for example, the aws-api library wont need to be passed credentials because it uses this chain to check for credentials Does anyone know if there's a way to use the aws CLI tools like this, avoiding explicitly passing credentials to the instance?


I thought that aws cli would automatically pick up the EC2 metadata server, if present, but seems there's credential_source = Ec2InstanceMetadata option:

[profile profilename]
role_arn = arn:aws:iam::123456789012:role/rolename
credential_source = Ec2InstanceMetadata
region = region


Thanks! Somehow couldn't find that


That's required only if you're using assume-role via CLI - EC2 instance can also assume a role automatically and expose credentials via the metadata endpoint without ~/.aws/config file

👍 3

The right practice would be to use the instance profile and add the policies that allow access to the resources your cli command need. There should not be a need to use the --profile option, if done right

👍 3