Creating an ec2 instance along with IAM roles using cloud formation

Question 1

The easiest way to solve such problems is to use CloudFormer. CloudFormer is a tool that creates a starting point template from the AWS resources you already have running in your environment.

The CloudFormer tool is packaged as a standalone application that you can launch inside your AWS environment. The application is started on a t1.micro Amazon EC2 instance via AWS CloudFormation.

Once you have launched Cloud Former, you will get a web interface (check the URL in the Output section of the launched stack), that will be able to describe all your resources in a specific region. It will lead you through which resources you wish in each category (DNS, Network, Compute...). At the end you can see the template and copy it, or save it in S3.

But if you wish to do it manually, you need to add the AWS::IAM::InstanceProfile you created to the Properties of AWS::EC2::Instance as IamInstanceProfile

{
   "Type" : "AWS::EC2::Instance",
   "Properties" : {
      "AvailabilityZone" : String,
      "BlockDeviceMappings" : [ EC2 Block Device Mapping, ... ],
      "DisableApiTermination" : Boolean,
      "EbsOptimized" : Boolean,
      "IamInstanceProfile" : String,
      "ImageId" : String,
      "InstanceType" : String,
...
      "UserData" : String,
      "Volumes" : [ EC2 MountPoint, ... ]
   }
}

See more details on AWS::EC2::Instance here

Question 2

Had to dig to get the final result, but here's an example of

Defining an access role (this will allow the EC2 instance to step into / assume to role),
Defining a policy for the role (i.e. when the EC2 assumes the role, what resources does it have access to),

Defining the instance profile (that is referenced by the EC2 instance, and has the access role mapped in)

"S3AccessRole" : {
    "Type"  : "AWS::IAM::Role",
    "Properties" : {
        "AssumeRolePolicyDocument" : {
            "Statement" : [ {
                "Effect" : "Allow",
                "Principal" : {
                    "Service" : [ "ec2.amazonaws.com" ]
                },
                "Action" : [ "sts:AssumeRole" ]
            } ]
        },
        "Path" : "/"
    }
},

"S3RolePolicies" : {
    "Type" : "AWS::IAM::Policy",
    "Properties" : {
        "PolicyName" : "s3access",
        "PolicyDocument" : {
            "Statement" : [ {
                "Effect" : "Allow",
                "Action" : "s3:*",
                "Resource" : "*"
            }]
        },
        "Roles" : [ { "Ref" : "S3AccessRole" } ]
    }
},

"S3InstanceProfile" : {
    "Type" : "AWS::IAM::InstanceProfile",
    "Properties" : {
        "Path" : "/",
        "Roles" : [ { "Ref" : "S3AccessRole" } ]
    }
}

The policy above allows all access to s3 resources. Adjust according to your needs. The IamInstanceProfile reference in the EC2 instance properties would refer be { "Ref" : "S3InstanceProfile" }

Note that as of May 2015, when you creating a stack that creates IAM roles, you need to check a box acknowledging such creation, otherwise you'll get a "Stack creation error: Requires capabilities : [CAPABILITY_IAM]" error.

Question 3

Suppose the AWS::IAM::InstanceProfile resource you create is called MyNewRole. To create an instance with that role (in the same CloudFormation template) set the EC2 resource's IamInstanceProfile property to a Ref to that resource. Here's an example (with lots of other details left out):

"Resources": {
    "MyNewRole": {
        "Type": "AWS::IAM::InstanceProfile",
        ... more stuff here
    },
    "MyNewEc2Instance": {
        "Type": "AWS::EC2::Instance",
        "Properties": {
            "IamInstanceProfile": { "Ref": "MyNewRole" },
            ... more stuff here
        }
    }
}