One of the limitations of Amazon AWS’s EC2 IAMs is the instance role MUST be assigned at “launch” time.  This is distinct from the “Start” action on an instance that was running as has been stopped.  In order to associate a current instance with a new or existing IAM profile, you must create a new instance.  This can be done by creating an image from the current instance and launching that.

Once an IAM role has been assigned, you may alter it.  This suggests that best practice is to always launch an instance with SOME IAM role.

Are the command line tools related to IAM roles?  YES, although it’s not specified, AWS command line  tools will find the role of the instance it’s on,  even if it’s not AWS Linux.

Assuming a role

http://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html