setting-up-ec2-instance-profiles
aws/agent-toolkit-for-aws
How to install setting-up-ec2-instance-profiles
npx skills add https://github.com/aws/agent-toolkit-for-aws --skill setting-up-ec2-instance-profilesFull instructions (SKILL.md)
Source of truth, from aws/agent-toolkit-for-aws.
name: setting-up-ec2-instance-profiles description: Configures EC2 instances to securely call AWS services by creating and attaching IAM roles via instance profiles, eliminating hardcoded credentials. Use when an EC2 instance needs permissions to access AWS services like S3, DynamoDB, SQS, or CloudWatch through temporary credentials. version: 1
Setting Up EC2 Instance Profiles
Overview
Domain expertise for granting EC2 instances secure access to AWS services using IAM roles and instance profiles. Covers the full lifecycle: identifying required permissions, creating or reusing IAM roles with least-privilege policies, creating instance profiles, attaching them to EC2 instances, and verifying credential availability.
Configure an EC2 instance profile
To set up an IAM role and instance profile for an EC2 instance, follow the procedure exactly. See EC2 instance profile setup procedure.
Troubleshooting
Instance not found
Verify the instance ID and region are correct. List instances with aws ec2 describe-instances --region <region>.
Instance already has a profile
The procedure handles replacement — it will prompt before disassociating the existing profile.
Credentials not available after attachment
Instance profile propagation can take 30–60 seconds. Applications may need a restart to pick up new credentials.
Access denied errors
Check that the role's policies include the required actions and resource ARNs. Review CloudTrail logs for the specific denied action.
Application still uses hardcoded credentials
Remove credentials from config files, environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY), and ~/.aws/credentials. The SDK default credential chain will then use the instance profile.
Related skills
More from aws/agent-toolkit-for-aws and the wider catalog.
aws-iam
"Verified corrections for IAM behaviors that AI agents frequently get\
aws-serverless
Builds, deploys, manages, debugs, configures, and optimizes serverless applications on AWS using Lambda, API Gateway, Step Functions, EventBridge, and SAM/CDK. Covers cold starts, CORS debugging, event source mappings, troubleshooting, concurrency, SnapStart, Powertools, function URLs, EventBridge Scheduler, Lambda layers, and production readiness. Triggers on mentions of Lambda, API Gateway, Step Functions, SAM templates, CDK serverless stacks, DynamoDB stream triggers, SQS event sources, cold starts, timeouts, 502/504 errors, throttling, concurrency, CORS, Powertools, or any event-driven architecture on AWS, even without the word "serverless." Does not apply to EC2, ECS/Fargate containers, or Amplify hosting.
aws-cdk
Authors, deploys, and troubleshoots AWS infrastructure using CDK with TypeScript or Python. Covers best practices, stack architecture, and construct patterns. Always use when writing CDK constructs, bootstrapping environments, running cdk deploy/synth/diff, fixing CDK or CloudFormation errors, planning stack structure, importing existing resources, resolving drift, or refactoring stacks without resource replacement.
aws-observability
Builds, configures, debugs, and optimizes AWS observability using CloudWatch (Logs Insights, Metrics, Alarms, Dashboards, EMF), X-Ray, CloudTrail, and ADOT. Covers Log Insights query syntax (fields, filter, stats, parse, pattern, join, subqueries), alarm configuration (metric, composite, anomaly detection, missing data treatment), dashboard design, custom metrics (PutMetricData, EMF, metric filters), X-Ray tracing (ADOT, sampling rules, annotations vs metadata), ADOT collector config, and CloudTrail auditing. Use when the user mentions CloudWatch, Log Insights, alarms, INSUFFICIENT_DATA, dashboards, custom metrics, EMF, X-Ray, traces, sampling, CloudTrail, who deleted, ADOT, OpenTelemetry, observability, monitoring, synthetics, canaries, or troubleshooting alarm behavior. Do NOT use for application logging setup, container log drivers, or security threat detection.
amazon-bedrock
Builds generative AI applications on Amazon Bedrock. Covers model invocation (Converse API, InvokeModel), RAG with Knowledge Bases, Bedrock Agents, Guardrails, and AgentCore. Use when invoking models, setting up Knowledge Bases, creating agents, applying guardrails, deploying to AgentCore, troubleshooting Bedrock errors (ThrottlingException, AccessDeniedException), or choosing models (Claude, Llama, Nova, Titan). ALSO USE for prompt caching setup and debugging, quota health checks and throttling diagnosis, cost attribution and tracking, migrating between Claude model generations (4.5 to 4.6 to 4.7), chunking strategies, API selection (Converse vs InvokeModel), guardrail capabilities, and model selection. Also covers AgentCore Payments setup (x402, microtransactions, Payment Manager, Connector, Instrument, Coinbase CDP, Stripe Privy, 402 Payment Required, pay for content, paid endpoint, agent payments). NOT for custom model training, Rekognition, or Comprehend.
aws-billing-and-cost-management
|