Associate a Role to a running AWS instance

Question 1

There is a new method available associate-iam-instance-profile to Associates an IAM instance profile with a running or stopped instance.

Example:

aws ec2 associate-iam-instance-profile --instance-id YourInstanceId --iam-instance-profile Name=YourNewRole-Instance-Profile

Doco

Question 2

If not, what can I do? Launch a new instance with a role and transfert the volumes to it?

This is one option but it might take you a long time if you have a lot instances.

The other option is to simply use IAM by creating a new user then add the Amazon CloudWatch PutMetricData operation permission to that user. Then, create AWS credentials for that user and finally use them as per the docs that you specified:

Optional: If you aren't using an IAM role, update the awscreds.template file that you downloaded earlier. The content of this file should use the following format:

AWSAccessKeyId=YourAccessKeyID

AWSSecretKey=YourSecretAccessKey

Also set the environment variable AWS_CREDENTIAL_FILE to point that awscreds.template in the environment of the user that is running the mon-scripts-perl

Question 3

AWS doesn't allow you to modify the instance role after launching the instance.

You can either:

1) Launch a new instance with the role needed by taking the AMI of the already running instance and reassigning the EIP.

or

2) Create a headless user, generate access key and secret key for the user with specific permssion, and use those keys.

Question 4

Earlier there was no solution. You had to create and AMI and launch the server again with the appropriate role.

On Feb 9, AWS launched these new CLI options which can help you solve your problem. See this link: https://aws.amazon.com/blogs/security/new-attach-an-aws-iam-role-to-an-existing-amazon-ec2-instance-by-using-the-aws-cli/