EC2 Instance error telling me multiple IAM Roles are attached when I try to change it...?

Question

This is a strange one... If I click on the instance id, and then navigate to security, it tells me the instance has role X. Then I back out to view all instances, mark the checkbox for the instance in question, go to Actions -> Security -> Modify IAM Role, and it shows me a different role, role Y. I then try to set it to No IAM Role (or any various role), and I get this error:

"Multiple roles associated to instance

The selected instance has more than one IAM role associated. This usually occurs when the instance is in the process of replacing an existing instance profile association. "

I have no idea what to do because I didn't think an EC2 instance was supposed to be able to have two roles... nothing can assume two roles at once, anyway. So this feels like a bug... can anyone help me solve this?

Answer 1

We had the issue Multiple roles associated to instance after bringing an existing EC2 into CloudFormation. Nelson Brito's answer helped to resolve the issue.

To avoid the issue altogether when bringing an existing EC2 into CloudFormation, I now recommend

1. first disassociate the IAM role (for example via the AWS Console)
2. import the EC2 only, i.e. without InstanceProfile and Role in the import template
3. add InstanceProfile and Role to the template and update the stack.

Answer 2

I wanted to expound on Nelson Brito's answer since I found a way to return your instance to a normal state. I ran into this situation yesterday when helping a user, and I observed my instance with two profile associations -- one in a state of associating and one in a state of disassociating. The command to find this was:

aws ec2 describe-iam-instance-profile-associations --filters Name=instance-id,Values=i-xxxxxx

To fix the issue, I first removed the associating profile using the command:

aws ec2 disassociate-iam-instance-profile --association-id iip-assoc-xxxxxx

Next, I went to the console and detached the instance from all profiles (there is probably a CLI invocation, but I didn't figure it out). When done, you should have a clean instance:

aws ec2 describe-iam-instance-profile-associations --filters Name=instance-id,Values=i-xxxxxx
{
    "IamInstanceProfileAssociations": []
}

Here's where we get to the root cause. When I re-assigned the role that was previously stuck in associating, well, it remained stuck in associating. The root cause of my problem was that the user had created the role without setting a trust relationship with EC2. The fix was two parts:

1. Update the instance trust relationship to add "Service": "ec2.amazonaws.com" as an allowed principal
2. Use the CLI to disassociate the role and add it again

tl;dr - If you ever run into this, ensure that the role you're trying to assign to your ec2 instance can be assumed by your ec2 instance.

Answer 3

I had the same issue and it seems that when replacing the instance profile it somehow stays in a state that's not completely associated. Using the CLI we can see the status of the profile association:

aws ec2 describe-iam-instance-profile-associations

In my case the problematic profile was showing as "associating", while all the others show "associated". Get the AssociationID for the problematic association and disassociate it with the command

aws ec2 disassociate-iam-instance-profile --association-id iip-assoc-xxxxxx

After that you should see the previous profile you had originally and everything should be consistent. Hope it helps solving the problem.