Let's quickly go through some important details about IAM roles:

• The trust policy for a role allows a user in the trusted account to switch to or assume that role.
• A wildcard (*) cannot be specified as a principal for a trust policy.
• When a user assumes a role, it temporarily gives up its own permissions until the user stops using the role.
• Some services allow attaching a policy directly to a resource without needing to use a role as a proxy. These resources include S3 buckets, Glacier vaults, Amazon simple notification service (SNS) topics, and Amazon simple queue service (SQS) queues. 
• Roles can be used by the external users authenticated by an external identity provider service to get access to AWS resources. Roles allow mobile apps to use AWS resources without embedding AWS keys within the app.
• Role chaining is the process where a role assumes a second role through the AWS CLI or API.
• To pass the role information to an EC2 instance when the instance starts, we can add the role within an instance profile. An instance profile can be considered a container for an IAM role. The list-instance-profiles-for-role CLI command lists the instance profiles for a role. 
• The permissions boundary is a feature we can use to set the maximum permissions that an identity-based policy can grant to an IAM entity such as a user or role. The put-role-permissions-boundary CLI command creates or updates the permissions boundary for a role, while delete-role-permissions-boundary deletes the permissions boundary for the role. 
• The attach-role-policy CLI command attaches a policy to a role, while detach-role-policy detaches a policy from a role.
• The put-role-policy CLI command creates or updates an inline policy, get-role-policy retrieves the specified inline policy in a role, and delete-role-policy deletes the specified inline policy.