is there a way to get name of IAM role attached to an EC2 instance with boto3?

Question

I am trying to list down all the EC2 instances with its IAM role attached using boto3 in python3. But I don't find any method to get the IAM role attached to existing EC2 instance. is there any method in boto3 to do that ?

When I describe an Instance, It has a key name IamInstanceProfile. That contains instance profile id and arn of the iam instance profile. I don't find name of IAM instance profile or any other info about IAM roles attached to it. I tried to use instance profile id to describe instance profile, But it seems to describe an instance profile, we need name of instance profile (not the id).

Can someone help on this ? I might be missing something.

Thanks

Answer 1

You can get the metadata of an EC2 instance by making an HTTP call to http://169.254.169.254/latest/meta-data/ from the instance.

In your case, you may want to navigate to http://169.254.169.254/latest/meta-data/iam/security-credentials to get the IAM role attached to the instance.

EC2 Instance Metadata

Answer 2

When we describe EC2 instance, We get IamInstanceProfile key which has Arn and id.

Arn has IamInstanceProfile name attached to it.

Arn': 'arn:aws:iam::1234567890:instance-profile/instanceprofileOrRolename'

This name can be used for further operation like get role description or listing policies attached to role.

Thanks

Answer 3

You can call IAM list_instance_profiles(), and then filter the results by the ARN or ID from EC2 describe_instances() result. This response will contain Roles for given instance profile.

Boto3 IAM documentation