What is the best practise for assigning an EC2 EIP after starting an instance?

You can do it with something like this, in the /etc/rc.local on the server in question:

ec2-associate-address --private-key /root/private_key.pem --cert /root/public_key.pem <eip-address> -i `curl http://169.254.169.254/latest/meta-data/instance-id

Use a VPC, then you won't have to worry about that problem.

Here is a bash i wrote to change EIP on any VPC Instance by using the friendly Name="tag", you can also specify a default region, or add it into the command.

#change vpc instance public IP address (EIP -> NIC|INSTANCE)
#usage "changeip [instance friendly tag=Name] [region]"
#example "changeip my.instnace us-west-1"
#dafault region is us-west-1 (you must include --region for $region default)
#for VPC instances only
function changeip {
    if [[ ! $1 ]]; then
        echo 'Error : You must provide tag name for instance'
        echo 'Example:  changeip [friendly name]'
        return
    fi
    if [[ $2 ]]; then
        region='--region '$2
        echo 'Using region '$2
    else
        region='--region us-west-1' #sets default region
        echo 'Using default '$region
    fi  
    name=$1
    instance=$(ec2-describe-instances $region | grep Name | grep $name | cut -f3)
    if [[ ! $instance =~ ^('i-'[A-Za-z0-9]*)$ ]]; then
        echo 'Error : Getting the instance id'
        echo $instance
        return
    fi
    echo 'Applying to '$1 '=> '$instance
    echo 'Please wait....'
    ip_new=$(ec2-allocate-address $region -d vpc | cut -f2)
    if [[ ! $ip_new =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
        echo 'Error : Getting a new IP address'
        echo $ip_new
        return
    fi
    new_idas=$(ec2-describe-addresses $region $ip_new | cut -f 5) >> /dev/null
    if [[ ! $new_idas =~ ^('eipalloc-'[A-Za-z0-9]*)$ ]]; then
        echo 'Error : Getting New IP allocation id eipalloc'
        echo $new_idas
        return  
    fi
    ip_old=$(ec2-describe-addresses $region | grep $instance | cut -f2)
    if [[ ! $ip_old =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
        echo 'Error : Getting old IP address'
        echo $ip_old
        return
    fi
    id_dis=$(ec2-describe-addresses $region $ip_old | cut -f 6)
    if [[ ! $id_dis  =~ ^('eipassoc-'[A-Za-z0-9]*)$ ]]; then
        echo 'Error : Dissasociating Old IP'
        echo $id_dis
        return
    fi
    id_release=$(ec2-describe-addresses $region $ip_old | cut -f 5) >> /dev/null
    if [[ ! $new_idas =~ ^('eipalloc-'[A-Za-z0-9]*)$ ]]; then
        echo 'Error : Release Old IP'
        echo $id_release
        return
    fi
    ec2-disassociate-address $region -a $id_dis  >> /dev/null
    sleep 8
    ec2-release-address $region -a $id_release >> /dev/null
    ec2-associate-address $region -i $instance -a $new_idas >> /dev/null
    echo 'SUCCESS!'
    echo 'Old = '$ip_old
    echo 'New = '$ip_new
}

Agree with Eric, that option is not wise in terms of security. Another option would be to have another machine, with credentials in it, in charge of responding to requests from other machines. E.g.: Machine with my credential is EC2-1. You launch perhaps 2 machines to run your web servers, EC2-2 and EC2-3. When they bootstrap, they can "signal" this to EC2-1, which in turn will run the API call to associate EC2-2 and EC2-3 to two Elastic IPs. This way, you have to make EC2-1 VERY secure, and you are not at risk with the other machines.

Best,

Simone