IAM roles allow you to delegate access to users or services that normally don't have access to your organization's AWS resources. IAM users or AWS services can assume a role to obtain temporary security credentials that can be used to make AWS API calls. Consequently, you don't have to share long-term credentials or define permissions for each entity that requires access to a resource.
The following scenarios highlight some of the challenges that you can address by delegating access:
- Granting applications that run on Amazon EC2 instances access to AWS resources
To grant applications on an Amazon EC2 instance access to AWS resources, developers might distribute their credentials to each instance. Applications can then use those credentials to access resources such as Amazon S3 buckets or Amazon DynamoDB data. However, distributing long-term credentials to each instance is challenging to manage and a potential security risk. The video above desribes how to use roles to address this security concern in more detail.
- Cross-account access
- Granting permissions to AWS services