Instance Profiles for EC2 Workloads

Applications on EC2 often need to call AWS APIs, but embedding access keys is dangerous. The solution is to give the instance its own identity through an instance profile, which delivers temporary role credentials automatically. This is one of the most-tested patterns for eliminating long-term secrets from workloads.

An instance profile is a container for an IAM role that you attach to an EC2 instance. Although you assign a role conceptually, EC2 actually attaches the instance profile that wraps that role. When you create a role for EC2 in the console, an instance profile of the same name is created automatically; with the CLI or API you may need to create it explicitly.