IAM Role creation is required only if you are planning to use the simple one-click configuration interface.
One-Click-Config
interface uses the IAM role associated with the EC2 instance to create
an IAM user with programmatic access for configuration and future use.
Configuration
interface running from your EC2 instance automatically provision the S3
buckets, Elemental Media Convert presets, Elastic Transcoder Pipeline,
CloudWatch rules, IAM roles, SNS topics, Rekognition and Transcribe.
To create an IAM role using the IAM console
- Open the IAM console at https://console.aws.amazon.com/iam/.
- In the navigation pane, choose Roles, Create role.
- On the Select role type page, choose EC2 and the EC2 use case. Choose Next: Permissions.
- On the Attach permissions policy page, select IAMFulAccess.
- Add Tag
- On the Review page, type a name for the role and choose Create role.
Alternatively, you can use the AWS CLI to create an IAM role.
To create an IAM role and instance profile (AWS CLI)
Create an IAM role with a policy that allows the role to use an Amazon S3 bucket.
Create the following trust policy and save it in a text file named ec2-role-trust-policy.json.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": "ec2.amazonaws.com"},
"Action": "sts:AssumeRole"
}
]
}
Create the IAMUserAccess role and specify the trust policy that you created.
aws iam create-role --role-name IAMUserAccess --assume-role-policy-document file://ec2-role-trust-policy.json
Create an access policy and save it in a text file named ec2-role-access-policy.json.
This policy grants administrative permissions for IAM to applications
running on the instance. eMAM Configuration application running from EC2
uses this role to create an IAM user with programmatic access to obtain
the AccessKey and SecretKey for certain s3 operations.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["iam:*"],
"Resource": ["*"]
}
]
}Attach the access policy to the role.
aws iam put-role-policy --role-name IAMUserAccess --policy-name IAM-Permissions --policy-document file://ec2-role-access-policy.json
Create an instance profile named IAMUserAccess-profile.
aws iam create-instance-profile --instance-profile-name IAMUserAccess-profile
Add the IAMUserAccess role to the IAMUserAccess-profile instance profile.
aws iam add-role-to-instance-profile --instance-profile-name IAMUserAccess-profile --role-name IAMUserAccess
Choose this IAM role in the configure instance details page.
Note
The IAM role
list displays the name of the instance profile that you created when
you created your IAM role (IAMUserAccess-profile). If you created your
IAM role using the console, the instance profile was created for you and
given the same name as the role. If you created your IAM role using the
AWS CLI, API, or an AWS SDK, you may have named your instance profile
differently.