Last active
April 3, 2026 16:50
-
-
Save h053698/cd14aedb7dac3a5ff70090e37fe347bd to your computer and use it in GitHub Desktop.
Create EC2 IAM role + instance profile and attach AmazonSSMManagedInstanceCore
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| set -euo pipefail | |
| # Create EC2 IAM role + instance profile and attach AmazonSSMManagedInstanceCore | |
| # Usage: | |
| # ./scripts/create-ec2-ssm-role.sh [ROLE_NAME] | |
| # Example: | |
| # ./scripts/create-ec2-ssm-role.sh AWSEC2SessionManagerRole | |
| ROLE_NAME="${1:-AWSEC2SessionManagerRole}" | |
| INSTANCE_PROFILE_NAME="$ROLE_NAME" | |
| MANAGED_POLICY_ARN="arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" | |
| TRUST_DOC=$(mktemp) | |
| cat > "$TRUST_DOC" <<'JSON' | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Effect": "Allow", | |
| "Principal": { | |
| "Service": "ec2.amazonaws.com" | |
| }, | |
| "Action": "sts:AssumeRole" | |
| } | |
| ] | |
| } | |
| JSON | |
| echo "[1/6] Create role: $ROLE_NAME" | |
| if aws iam get-role --role-name "$ROLE_NAME" >/dev/null 2>&1; then | |
| echo " - role already exists, skip create" | |
| else | |
| aws iam create-role \ | |
| --role-name "$ROLE_NAME" \ | |
| --assume-role-policy-document "file://$TRUST_DOC" >/dev/null | |
| echo " - role created" | |
| fi | |
| echo "[2/6] Attach managed policy: AmazonSSMManagedInstanceCore" | |
| aws iam attach-role-policy \ | |
| --role-name "$ROLE_NAME" \ | |
| --policy-arn "$MANAGED_POLICY_ARN" >/dev/null || true | |
| echo "[3/6] Create instance profile: $INSTANCE_PROFILE_NAME" | |
| if aws iam get-instance-profile --instance-profile-name "$INSTANCE_PROFILE_NAME" >/dev/null 2>&1; then | |
| echo " - instance profile already exists, skip create" | |
| else | |
| aws iam create-instance-profile --instance-profile-name "$INSTANCE_PROFILE_NAME" >/dev/null | |
| echo " - instance profile created" | |
| fi | |
| echo "[4/6] Add role to instance profile" | |
| if aws iam get-instance-profile --instance-profile-name "$INSTANCE_PROFILE_NAME" \ | |
| --query "InstanceProfile.Roles[?RoleName=='$ROLE_NAME'] | length(@)" --output text | grep -q '^1$'; then | |
| echo " - role already in instance profile" | |
| else | |
| aws iam add-role-to-instance-profile \ | |
| --instance-profile-name "$INSTANCE_PROFILE_NAME" \ | |
| --role-name "$ROLE_NAME" >/dev/null | |
| echo " - role added" | |
| fi | |
| echo "[5/6] Verify" | |
| aws iam list-attached-role-policies --role-name "$ROLE_NAME" \ | |
| --query 'AttachedPolicies[].PolicyName' --output text | |
| echo "[6/6] Done ✅" | |
| ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) | |
| echo "Role ARN: arn:aws:iam::${ACCOUNT_ID}:role/${ROLE_NAME}" | |
| echo "Instance Profile: ${INSTANCE_PROFILE_NAME}" | |
| echo "\nAttach to EC2 example:" | |
| echo "aws ec2 associate-iam-instance-profile --instance-id <i-xxxx> --iam-instance-profile Name=${INSTANCE_PROFILE_NAME}" | |
| rm -f "$TRUST_DOC" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment