IAM roles are a great way to assign permissions to users, applications, and other services, such as EC2, to allow them to perform actions that require authentication and authorization. Roles are assumed, and they can be used to apply temporary credentials to an identity or service:

First, I will focus on using IAM roles with a service, such as EC2. Suppose that you have an application running on an EC2 instance, performing image processing. One process of your application requires read-only access to Amazon S3. One way that developers could architect the application to authenticate to the service would be to store credentials locally, on the instance itself. However, this goes against security best practices, especially within the cloud. You should never store credentials on an instance locally; instead, you should use an IAM role.

An IAM role is configured with permissions, just like a normal IAM user would have. When an EC2 instance is associated with an IAM role, the instance has the permissions that are given to that role.

In our example, we could create a role called Role_S3_Access, assign the following permissions, and associate it with the EC2 instance:

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Action": [
       "s3:Get*",
       "s3:List*"
     ],
     "Resource": "*"
   }
 ]
}

This will allow that instance to access S3 objects within your account, without having to store any local credentials on the instance.