Why does cdk diff command always show a new role getting created, even when a role is specified?

[preeth1]

My deploy code (in python) creates a new ec2 instance using:

from aws_cdk import (
    Stack,
    aws_iam as iam,
    aws_ec2 as ec2,
)

ec2.Instance(
    self,
    id=f'EC2_ID_1',
    vpc=ec2.Vpc.from_lookup(self, id=VPC_ID, vpc_id="existing_vpc"),
    instance_type=ec2.InstanceType.of(ec2.InstanceClass.STANDARD5, ec2.InstanceSize.LARGE),
    machine_image=ec2.MachineImage.lookup(name="existing_ami"),
    security_group=ec2.SecurityGroup.from_lookup_by_id(self, SECURITY_GROUP_ID,security_group_id="existing_sg"),
    key_name="existing_key_name",
    role=iam.Role.from_role_name(self, id=IAM_ROLE_ID, role_name="existing_role_name"),
    availability_zone="us-east-2c"
                )

As you can see, I use an existing IAM role to spin up this ec2 instance. In the documentation for the role property, it says that a new role gets created if one is not specified. However, with the above code, when I run cdk diff, I get:

Running CDK commands from this user: arn:aws:iam::689182170234:user/preethi
Stack infrastructure-cdk
Resources
[+] AWS::IAM::InstanceProfile EC2_ID_0/InstanceProfile EC2ID0InstanceProfile<Profile ID>
[+] AWS::EC2::Instance EC2_ID_0 EC2<EC2 ID>

Why does it create an IAM instance profile even though I have already specified an IAM role?

[indrora]

That's not a role, it's an InstanceProfile.

EC2 instances can have a "profile", which describes the set of roles that are used by that instance (as an instance can be made up of the permissions of several roles, into one meta-role). This is the mechanism by which roles are passed to the EC2 instance overall.

It's outlined in the ClouddFormation docs: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html#cfn-ec2-instance-iaminstanceprofile

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.