2

Do EC2 instances which use the same instance profile also use the same metadata credentials?

Put another way, are EC2 metadata credentials unique to the EC2 instance or to the EC2 instance profile?

For example, say I have an IAM role called my-role and an Elastic Beanstalk application called my-app which has an environment called my-app-1. The instance profile for my-app-1 is set to my-role.

If my-app-1 is currently running two EC2 instances, will they both have the same credentials?

GreenRaccoon23
  • 3,603
  • 7
  • 32
  • 46

1 Answers1

4

No, EC2 instances with the same instance profile use different metadata credentials.

EC2 metadata credentials are generated for and unique to the EC2 instance, not to the instance profile or to the IAM role.

Note: I tested EC2 instances directly in order to confirm this.

GreenRaccoon23
  • 3,603
  • 7
  • 32
  • 46
  • 2
    Each EC2 instance gets unique credentials from the EC2 service, which generates them via AssumeRole. The metadata service on each EC2 instance vends its credentials to applications on the instance, and those credentials are automatically rotated before they expire. – jarmod Nov 03 '17 at 23:04