To run a CLI command from within an Amazon Elastic Compute Cloud (Amazon EC2) instance or an Amazon Elastic Container Service (Amazon ECS) container, you can use an IAM role attached to the instance profile or the container. If you specify no profile or set no environment variables, that role is used directly. This enables you to avoid storing long-lived access keys on your instances. You can also use those instance or container roles only to get credentials for another role. To do this, you use credential_source (instead of source_profile) to specify how to find the credentials. The credential_source attribute supports the following values:

Environment – Retrieves the source credentials from environment variables.

Ec2InstanceMetadata – Uses the IAM role attached to the Amazon EC2 instance profile.

EcsContainer – Uses the IAM role attached to the Amazon ECS container.