An AWS Identity and Access Management (IAM) role is a type of IAM identity that represents a set of permissions that can be assumed by AWS resources such as EC2 instances, Lambda functions, and other AWS services. IAM roles are used to grant access to AWS resources without having to share long-term security credentials.
IAM roles are created and managed within the IAM service, and they can be assigned permissions to access other AWS resources. Roles can be assumed by AWS resources, such as EC2 instances, through the use of instance profiles. An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance at launch time.
A role has policies associated with it, which determine the permissions that the role has. These policies can be created and managed within the IAM service and can be written using JSON or AWS Policy Generator.
IAM roles can be used for a variety of purposes, such as:
- Providing temporary access to AWS resources for applications running on EC2 instances.
- Allowing applications running on EC2 instances to call AWS services on their behalf.
- Allowing AWS services to call other AWS services on their behalf.
- Granting cross-account access to your AWS resources.
- Granting permissions to users who are accessing AWS resources using a SAML identity provider (IdP)
It’s important to note that roles are not associated with a specific user or group and are intended to be assumed by AWS resources or services, and not by human users or groups.