By googling, I found this tutorial on accessing S3 from EC2 instance without credential file. I followed its instructions and got the desired instance. The aws web console page looks like

However, I don't want to do it manually using the web console every time. How can I create such EC2 instances using boto3?

I tried

s = boto3.Session(profile_name='dev', region_name='us-east-1')
ec2 = s.resource('ec2')
rc = ec2.create_instances(ImageId='ami-0e297018', 
                          InstanceType='t2.nano',
                          MinCount=1, 
                          MaxCount=1, 
                          KeyName='my-key', 
                          IamInstanceProfile={'Name': 'harness-worker'},
                          )

where harness-worker is the IAM role with access to S3, but nothing else. It is also used in the first approach with the aws web console tutorial.

Then I got error saying

ClientError: An error occurred (UnauthorizedOperation) when calling the RunInstances operation: You are not authorized to perform this operation.

Did I do something obviously wrong?

The dev profile has AmazonEC2FullAccess. Without the line IamInstanceProfile={'Name': 'harness-worker'},, create_instances is able to create instance.

To assign an IAMProfile to an instance, AmazonEC2FullAccess is not sufficient. In addition, you need the following privilege to pass the role to the instance.

See: Granting an IAM User Permission to Pass an IAM Role to an Instance

{
  "Effect": "Allow",
  "Action": "iam:PassRole",
  "Resource": "*"
}

First you can give full IAM access to your dev profile and see it works. Then remove full IAM access and give only iam:PassRole and try again.

This has nothing to do with the role you are trying to assign the new EC2 instance. The Python script you are running doesn't have the RunInstances permission.