EC2 RunInstances returns NoSuchEntity for a valid IAM instance profile (regression after IAM-from-moto migration in 2026.03)

[ivanpogrebkov-alphapoint]

Summary

Calling ec2:RunInstances with --iam-instance-profile Name=<name> (or Arn=<arn>) fails with
NoSuchEntity: Instance profile <name> not found, even though the profile
exists and iam:GetInstanceProfile returns 200 for the same name in the same
account.

Reproduces cleanly with direct awslocal calls — no Terraform, no CDK, no
extra wrappers. Fails with both Name= and Arn= forms, with ENFORCE_IAM=1
and ENFORCE_IAM=0, and with EC2_VM_MANAGER=mock and the default docker
backend.

Environment

• LocalStack edition: pro, license activated
• Version: 2026.3.1.dev173:78d55071e (image localstack/localstack-pro:latest pulled 2026-04-13)
• Host: macOS (OrbStack), aarch64
• Reproduces on a freshly-started container with empty persistent state.

Minimal reproduction

Against a vanilla localstack/localstack-pro:latest (no init hooks, no config
customizations beyond a valid LOCALSTACK_AUTH_TOKEN):

# 1. Create role + profile + attach
awslocal iam create-role \
  --role-name r \
  --assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"ec2.amazonaws.com"},"Action":"sts:AssumeRole"}]}'
awslocal iam create-instance-profile --instance-profile-name p
awslocal iam add-role-to-instance-profile --instance-profile-name p --role-name r

# 2. Profile exists — returns 200 with role attached
awslocal iam get-instance-profile --instance-profile-name p

# 3. Pick any AMI visible to the account
AMI=$(awslocal ec2 describe-images --owners amazon --query 'Images[0].ImageId' --output text)

# 4. Try to launch — fails
awslocal ec2 run-instances --image-id "$AMI" --instance-type t2.micro --iam-instance-profile Name=p
# aws: An error occurred (NoSuchEntity) when calling the RunInstances operation:
#      Instance profile p not found

Without --iam-instance-profile, step 4 succeeds. Launching with Arn= of the
same profile fails identically.

Expected vs actual

• Expected: step 4 returns 200 with a reservation, consistent with iam:GetInstanceProfile above.
• Actual: step 4 returns 404 NoSuchEntity: Instance profile p not found.

Root cause (as far as we can tell from inside the container)

moto's EC2 RunInstances path validates the instance profile via
moto.ec2.utils.filter_iam_instance_profiles, which calls
moto.iam.models.iam_backends[account_id][partition].get_instance_profile(name).

Since the 2026.03 release moved IAM/STS out of moto into LocalStack core,
moto.iam.models.iam_backends is no longer populated by IAM API calls —
profiles created through LocalStack IAM go into the LocalStack-native store,
and moto's dict stays permanently empty. Moto's EC2 therefore always raises
NotFoundException here.

Confirmation:

docker exec <container> \
  /opt/code/localstack/.venv/bin/python3 -c \
  "from moto.iam.models import iam_backends; print(list(iam_backends.keys()))"
# []   # even after creating several profiles via awslocal

And inspection of the relevant functions:

• moto.ec2.utils.filter_iam_instance_profiles — delegates to moto IAM backend
• moto.ec2.responses.instances.InstanceResponse.run_instances — calls filter_iam_instance_profiles before creating the instance

moto itself is behaving correctly; the gap is that the LocalStack IAM
migration didn't ship a shim keeping the moto backend in sync (or didn't swap
moto's EC2 lookup for a LocalStack-native one).

Suggested fix

Either would work; we think (a) is the lower-risk option:

(a) In the LocalStack IAM provider, mirror create_instance_profile /
delete_instance_profile / add_role_to_instance_profile into
moto.iam.models.iam_backends[account][partition] so the moto-shaped
view stays populated for cross-service consumers.

(b) Replace filter_iam_instance_profiles at EC2 provider load time with a
LocalStack-native lookup (similar to the patching LocalStack already does
for other cross-service boundaries).

Workaround

Until a fix ships, a LocalStack init hook at the READY stage can monkey-patch
moto.ec2.utils.filter_iam_instance_profiles to fall back to LocalStack IAM
when moto misses, mirroring the profile (and any attached roles) into moto's
backend on demand. Full implementation here, public domain / happy-to-upstream:

Summary of the hook:

1. Try original filter_iam_instance_profiles.
2. On miss, connect_to(aws_access_key_id=account_id).iam.get_instance_profile(...).
3. Mirror the profile (and placeholder roles moto requires for attachment)
   into moto.iam.models.iam_backends via the backend's public methods.
4. Return the moto InstanceProfile object so downstream
   associate_iam_instance_profile works.

Also rebinds moto.ec2.models.iam_instance_profile.filter_iam_instance_profiles
and moto.ec2.responses.instances.filter_iam_instance_profiles since those
capture the function by name at from import time.