It has always been one of my pet-peeves that I had to attach an IAM role to an EC2 instance just in case I’d need it in the future. The reason was you couldn’t attach one later.
Attaching a role allows API access to AWS from your instance w/o having to inject API keys, which reduces security and maintainability (you’d have to remember to change out the keys when rotating keys).
AWS has now announced that you can attach an IAM role to an exiting EC2 instance.
- Create an IAM role
- Attach the IAM role to an existing EC2 instance that was originally launched without an IAM role.
- Replace the attached IAM role.