if you are getting "The association is not the active association" error when trying to attach a role to a existing EC2 instance then you should:

1. detach the existing role from the existing EC2 instance.
2. attach a new role to the existing EC2 instance.

once you do that, you will be able to attach a role to an existing EC2 instance.

As of AWS CLI v1.11.46, which was released just yesterday (see the CHANGELOG file on GitHub), you can now attach an IAM role to an existing EC2 instance that was originally launched without an IAM role using the associate-iam-instance-profile command.

You can also replace the currently attached IAM role for a running instance using replace-iam-instance-profile-association.

For more details, see the following article on AWS Security Blog:

Attach an AWS IAM Role to an Existing Amazon EC2 Instance by Using the AWS CLI.

UPDATE

As of Feb 22, 2017, you can attach/replace an IAM role to an existing EC2 instance from the EC2 console as well. See this blog post for more details.

The Roles must be assigned when an instance is first launched.

It is not possible to assign the Role after the launched.

I would recommend launching a new instance via the Launch More Like This console command. Please note this will create a new boot disk based on the same AMI, so any data you've saved will not be copied across. If you wish to save the data, you will need to create an AMI from the instance and launch the new instance from that AMI.

Update Feb 2017: It is now possible to add an IAM Role to an existing instance. This can be done via the AWS Command-Line Interface (CLI). Use the replace-iam-instance-profile-association command.

Well that's the harsh truth as of now. You can't associate an IAM role to an existing instance. I came to know that when I was trying System Server Manager service which required your EC2 instance to coomunicate with ssm api.

I think we have to wait some more time.