I created an EC2 instance profile through a CloudFormation stack. The stack template contains the instance profile, the role for the instance profile, policies for the role, and permissions to use the instance profile. The role has the trust policy to allow EC2 instances to assume the role. Both the instance profile and the role use paths.
The console shows No roles attached to instance profile for the IAM role when launching an EC2 instance that uses the instance profile. However, the correct ARN is shown when viewing the role in the console. The role is also present when getting the instance profile using PowerShell.
I tried to remove the path from the instance profile only, not the role. I did this by removing the instance profile from the CloudFormation template and updating the stack. Then I put the instance profile back into the template, without the path, and update the stack again. The console shows the role with the new ARN for the instance profile. Now I can launch an EC2 instance with the instance profile and the console shows the correct role for the EC2 instance. Un-doing all of this to get back to the path for instance profile again results in EC2 instances without a role.
All the permissions needed for launching the EC2 instance are in the stack, which works. It is only when the instance profile has a path that I cannot launch a correct EC2 instance. What am I missing here? What else can I try to get the instance profile working with the path?
I've had a similar problem and reported it to AWS. For me, it is just an issue with the console view and the role and permissions will work as expected.
You mention that you're unable to launch an instance, this is possibly unrelated to the console issue but first, confirm the role is attached correctly with the CLI: aws ec2 describe-instances. Look for the IamInstanceProfile property and confirm it lists the expected Arn.
If that's correct, then the console view can be ignored and your issue is permissions/other. I'd suggest checking CloudTrail for the RunInstances event, it should have an error that is useful.
If you don't see the Arn listed against the IamInstanceProfile your issue is different to mine but I'd recommend to confirm the instance profile is attached to the correct role. You can check this via the console by going to the role in IAM and checking it lists the correct instance profile Arn. Or better to use the CLI: aws iam get-instance-profile --instance-profile-name [EnterInstanceProfileName]
Replace EnterInstanceProfileName with the last part (After the last slash) of the instance profile Arn.
Ensure the Roles section has only one role listed and the Arn is the expected role.
Hope this is helpful.