Assigning an EC2 Instance IAM Role

Main Points

  • Cloud9 uses managed temporary credentials that have certain limitations.

  • We need to perform actions that exceed these limitations.

  • We assign an IAM service role to the Cloud9 EC2 instance, and use those credentials instead.


If you’ve read through the IAM Survival Guide, then you know what credentials are. By default, Cloud9 uses its own managed credentials, which derive from the IAM user who is signed into AWS and using the Cloud9 service. These managed credentials allow you to interact with AWS services within the Cloud9 environment as if you were the IAM user, but have certain limitations placed on them to prevent one from accidentally making destructive changes to their AWS resources from within Cloud9.

Because we actually do need to make destructive changes to our AWS environment by creating new AWS infrastructure for our Firebase migration, we need to use administrator level access.

The best practice for accomplishing this is to assign an IAM service role to the underlying Cloud9 EC2 instance. As we saw in the AWS Account Administration section, this service role will have attached to it the AWS managed IAM policy for administrator access.

Create the Service Role

First we need to switch off Cloud9’s managed credentials:

Next, let’s create a new role in the IAM Console. Under “Choose a use case” select “EC2” and click “Next: Permissions”:

Type in “admin” in the “Filter policies” text box and check the “AdministratorAccess” policy. Click “Next: Tags”:

We won’t be using tags, so skip ahead and click “Next: Review”:

Finally, name the new IAM role and click “Create role”:

You should see that the role was successfully created:

Assigning the Role

Head over to the EC2 Console. You should see the list of running instances, filtered so that only the Cloud9 EC2 instances are displayed:

Right click in the blue area on the row for the EC2 instance running Cloud9. You can tell it’s the instance running Cloud9 based on its “Name” column, which should begin with “aws-cloud9…”. Go to the “Security” menu, and click on “Modify IAM role”:

Finally, click on the drop down menu for “IAM role” and find the role we just created and select it. Then click “Apply”:

Nice work. You can navigate back to your Cloud9 environment now.