How to give ec2 instance access to s3 using boto3

Question

By googling, I found this tutorial on accessing S3 from EC2 instance without credential file. I followed its instructions and got the desired instance. The aws web console page looks like

However, I don't want to do it manually using the web console every time. How can I create such EC2 instances using boto3?

I tried

s = boto3.Session(profile_name='dev', region_name='us-east-1')
ec2 = s.resource('ec2')
rc = ec2.create_instances(ImageId='ami-0e297018', 
                          InstanceType='t2.nano',
                          MinCount=1, 
                          MaxCount=1, 
                          KeyName='my-key', 
                          IamInstanceProfile={'Name': 'harness-worker'},
                          )

where harness-worker is the IAM role with access to S3, but nothing else. It is also used in the first approach with the aws web console tutorial.

Then I got error saying

ClientError: An error occurred (UnauthorizedOperation) when calling the RunInstances operation: You are not authorized to perform this operation.

Did I do something obviously wrong?

The dev profile has AmazonEC2FullAccess. Without the line IamInstanceProfile={'Name': 'harness-worker'},, create_instances is able to create instance.

Answer 1

To assign an IAMProfile to an instance, AmazonEC2FullAccess is not sufficient. In addition, you need the following privilege to pass the role to the instance.

See: Granting an IAM User Permission to Pass an IAM Role to an Instance

{
  "Effect": "Allow",
  "Action": "iam:PassRole",
  "Resource": "*"
}

First you can give full IAM access to your dev profile and see it works. Then remove full IAM access and give only iam:PassRole and try again.