cloudsoft.io

Using Instance Profiles

Introduction to Instance Profiles

An “Instance Profile” is a mechanism in AWS to allow VMs to have access to the AWS API and AWS services. It avoids the need to supply (and manage) AWS access keys, instead associating an “IAM Role” with the instance.

The Visual Composer uses an instance profile to provide context assistance, inference and validation when creating CloudFormation blueprints. The instance profile also gives permissions for the “Install to AWS Service Catalog” action. This instance profile needs to be created ahead of time and specified as an “IAM role” when creating the VM.

Creating the Instance Profile

To review and create the Instance Profile, go to “IAM” in the AWS Console, then go to “Roles”. Roles created in the UI automatically have a corresponding instance profile created.

The following permissions should be given to this role:

  • ec2:DescribeVpcs
  • ec2:DescribeSubnets
  • ec2:DescribeInternetGateways
  • ec2:DescribeEgressOnlyInternetGateways
  • ec2:DescribeVpcEndpoints
  • ec2:DescribeNatGateways
  • ec2:DescribeCustomerGateways
  • ec2:DescribeVpnGateways
  • ec2:DescribeVpnConnections
  • ec2:DescribeRouteTables
  • ec2:DescribeAddresses
  • ec2:DescribeSecurityGroups
  • ec2:DescribeNetworkAcls
  • ec2:DescribeImages

The “Install to AWS Service Catalog” requires the following additional permissions:

  • To upload the CFN Template, S3 access to resources arn:aws:s3:::visualblueprintcomposer* and arn:aws:s3:::visualblueprintcomposer*/* for the actions:
    • s3:CreateBucket
    • s3:ListBucket
    • s3:PutObject
    • s3:GetObject
  • To create the Service Catalog product and add it to a portfolio, the actions:
    • cloudformation:ValidateTemplate
    • servicecatalog:CreateProduct
    • servicecatalog:AssociateProductWithPortfolio

Alternatively a CloudFormation template can be used to create this role.

Launching with the Instance Profile

When launching the Visual Composer from the AWS Marketplace, we recommend that you use select “Launch through EC2” on the Choose Action dropdown. This allows the Instance Profile to be set at launch time.

Adding the Instance Profile to an Existing VM

As described in the AWS Documentation, you can attach an IAM role to an existing instance.

For example, from the AWS EC2 Console, select your VM and then through the “Actions” drop-down choose Instance Settings -> Attach/Replace IAM Role, as shown in the screenshot below:

EC2 Console - Attach IAM Role