Do not create AWS instance profile when launching instances

docs/docs/installation/index.md

@@ -138,35 +138,6 @@ There are two ways to configure AWS: using an access key or using the default cr
                     "servicequotas:*"
                 ],
                 "Resource": "*"
-            },
-            {
-                "Effect": "Allow",
-                "Action": [
-                    "iam:GetRole",
-                    "iam:CreateRole",
-                    "iam:AttachRolePolicy",
-                    "iam:TagRole"
-                ],
-                "Resource": "*"
-            },
-            {
-                "Effect": "Allow",
-                "Action": [
-                    "iam:CreatePolicy",
-                    "iam:TagPolicy"
-                ],
-                "Resource": "*"
-            },
-            {
-                "Effect": "Allow",
-                "Action": [
-                    "iam:GetInstanceProfile",
-                    "iam:CreateInstanceProfile",
-                    "iam:AddRoleToInstanceProfile",
-                    "iam:TagInstanceProfile",
-                    "iam:PassRole"
-                ],
-                "Resource": "*"
             }
         ]
     }

src/dstack/_internal/core/backends/aws/compute.py

@@ -104,7 +104,6 @@ def create_instance(
         project_name = instance_config.project_name
         ec2 = self.session.resource("ec2", region_name=instance_offer.region)
         ec2_client = self.session.client("ec2", region_name=instance_offer.region)
-        iam_client = self.session.client("iam", region_name=instance_offer.region)
         allocate_public_ip = self.config.allocate_public_ips
 
         tags = [
@@ -129,10 +128,7 @@ def create_instance(
                         cuda=len(instance_offer.instance.resources.gpus) > 0,
                     ),
                     instance_type=instance_offer.instance.name,
-                    iam_instance_profile_arn=aws_resources.create_iam_instance_profile(
-                        iam_client=iam_client,
-                        project_id=project_name,
-                    ),
+                    iam_instance_profile_arn=None,
                     user_data=get_user_data(authorized_keys=instance_config.get_public_keys()),
                     tags=tags,
                     security_group_id=aws_resources.create_security_group(

src/dstack/_internal/core/backends/aws/resources.py

@@ -1,4 +1,3 @@
-import json
 from typing import Any, Dict, List, Optional
 
 import botocore.client
@@ -24,93 +23,6 @@ def get_image_id(ec2_client: botocore.client.BaseClient, cuda: bool) -> str:
     return images[0]["ImageId"]
 
 
-def create_role_and_policy(iam_client: botocore.client.BaseClient, project_id: str) -> str:
-    policy_name = "dstack_policy_" + project_id.replace("-", "_").lower()
-    role_name = "dstack_role_" + project_id.replace("-", "_").lower()
-
-    try:
-        iam_client.get_role(RoleName=role_name)
-        return role_name
-    except botocore.exceptions.ClientError as e:
-        if e.response["Error"]["Code"] != "NoSuchEntity":
-            raise e
-
-    response = iam_client.create_policy(
-        PolicyName=policy_name,
-        Description="Generated by dstack",
-        PolicyDocument=json.dumps(
-            {
-                "Version": "2012-10-17",
-                "Statement": [
-                    {
-                        "Effect": "Allow",
-                        "Action": "ec2:*",
-                        "Resource": "*",
-                        "Condition": {
-                            "StringEquals": {
-                                "aws:ResourceTag/dstack_project": project_id,
-                            }
-                        },
-                    },
-                ],
-            }
-        ),
-        Tags=[
-            {"Key": "owner", "Value": "dstack"},
-            {"Key": "dstack_project", "Value": project_id},
-        ],
-    )
-    policy_arn = response["Policy"]["Arn"]
-    iam_client.create_role(
-        RoleName=role_name,
-        AssumeRolePolicyDocument=json.dumps(
-            {
-                "Version": "2012-10-17",
-                "Statement": [
-                    {
-                        "Action": "sts:AssumeRole",
-                        "Effect": "Allow",
-                        "Principal": {"Service": "ec2.amazonaws.com"},
-                    }
-                ],
-            }
-        ),
-        Description="Generated by dstack",
-        MaxSessionDuration=3600,
-        Tags=[
-            {"Key": "owner", "Value": "dstack"},
-            {"Key": "dstack_project", "Value": project_id},
-        ],
-    )
-    iam_client.attach_role_policy(RoleName=role_name, PolicyArn=policy_arn)
-    return role_name
-
-
-def create_iam_instance_profile(iam_client: botocore.client.BaseClient, project_id: str) -> str:
-    role_name = create_role_and_policy(iam_client, project_id)
-
-    try:
-        response = iam_client.get_instance_profile(InstanceProfileName=role_name)
-        return response["InstanceProfile"]["Arn"]
-    except botocore.exceptions.ClientError as e:
-        if e.response["Error"]["Code"] != "NoSuchEntity":
-            raise e
-
-    response = iam_client.create_instance_profile(
-        InstanceProfileName=role_name,
-        Tags=[
-            {"Key": "owner", "Value": "dstack"},
-            {"Key": "dstack_project", "Value": project_id},
-        ],
-    )
-    instance_profile_arn = response["InstanceProfile"]["Arn"]
-    iam_client.add_role_to_instance_profile(
-        InstanceProfileName=role_name,
-        RoleName=role_name,
-    )
-    return instance_profile_arn
-
-
 def create_security_group(
     ec2_client: botocore.client.BaseClient,
     project_id: str,