IAM roles allow you to delegate access to users or services that normally don't have access to your organization's AWS resources. IAM users or AWS services can assume a role to obtain temporary security credentials that can be used to make AWS API calls. Consequently, you don't have to share long-term credentials or define permissions for each entity that requires access to a resource.
The following scenarios highlight some of the challenges that you can address by delegating access:
- Granting applications that run on Amazon EC2 instances access to AWS resources
To grant applications on an Amazon EC2 instance access to AWS resources, developers might distribute their credentials to each instance. Applications can then use those credentials to access resources such as Amazon S3 buckets or Amazon DynamoDB data. However, distributing long-term credentials to each instance is challenging to manage and a potential security risk. The video below desribes how to use roles to address this security concern in more detail.
- Cross-account access
To control or manage access to resources, such as isolating a development environment from a production environment, you might have multiple AWS accounts. However, in some cases, users from one account might need to access resources in the other account. For example, a user from the development environment might require access to the production environment to promote an update. Therefore, users must have credentials for each account, but managing multiple credentials for multiple accounts makes identity management difficult. Using an IAM role can simplify this. See the Trend Micro case study to see cross account access in action.