IAM roles allow you to delegate access to users or services that normally don't have access to your organization's AWS resources. IAM users or AWS services can assume a role to obtain temporary security credentials that can be used to make AWS API calls. Consequently, you don't have to share long-term credentials or define permissions for each entity that requires access to a resource.

Adobe Flash Player or a modern browser is required to view videos on this site.

Getting Started with IAM Roles for EC2 Instances

Get Started with AWS for Free

Create a Free Account
Or Sign In to the Console

AWS Free Tier includes 750hrs of Micro Cache Node with Amazon ElastiCache.

View AWS Free Tier Details »

The following scenarios highlight some of the challenges that you can address by delegating access:

  • Granting applications that run on Amazon EC2 instances access to AWS resources
    To grant applications on an Amazon EC2 instance access to AWS resources, developers might distribute their credentials to each instance. Applications can then use those credentials to access resources such as Amazon S3 buckets or Amazon DynamoDB data. However, distributing long-term credentials to each instance is challenging to manage and a potential security risk. The video above desribes how to use roles to address this security concern in more detail.
  • Cross-account access
    To control or manage access to resources, such as isolating a development environment from a production environment, you might have multiple AWS accounts. However, in some cases, users from one account might need to access resources in the other account. For example, a user from the development environment might require access to the production environment to promote an update. Therefore, users must have credentials for each account, but managing multiple credentials for multiple accounts makes identity management difficult. Using an IAM role can simplify this.  See the Trend Micro case study to see cross account access in action.
  • Granting permissions to AWS services
    Before AWS services can perform actions for you, you must grant them permissions to do so. You can use AWS IAM roles to grant permissions for AWS services to call other AWS services on your behalf, or create and manage AWS resources for you in your account. AWS services such as Amazon Lex also offer service-linked roles that are predefined and can be assumed only by that specific service.

For more about how to manage roles in IAM, see the Roles section of the Using IAM guide.