The AWS EC2 APIs are not needed if you only want to use the metadata that is already available in the EC2-metadata service locally on in the instance.
You don't want to give the instances permissions to access APIs unless absolutely necessary as a large deployment can cause throttling issues and the like in the account.
Only the ${tagset_xxx} place holder seem to need access to the API.
The AWS EC2 APIs are not needed if you only want to use the metadata that is already available in the EC2-metadata service locally on in the instance.
You don't want to give the instances permissions to access APIs unless absolutely necessary as a large deployment can cause throttling issues and the like in the account.
Only the ${tagset_xxx} place holder seem to need access to the API.