IAM roles

An IAM role is an AWS identity, recommended by AWS over the IAM user for the many benefits it provides when compared to an IAM user. A role is not necessarily associated with one person, application, or a service, instead, it is assumable by any resource that needs it. Moreover, credentials for roles are managed by AWS; these credentials are created dynamically and rotated multiple times in a day. Roles are a very versatile feature of IAM, it can be used for a variety of use cases such as delegating access to services, applications or users that might not need access to your AWS resources regularly or they are outside of your organization and need to access your AWS resources. You can also provide access to resources whose credentials are stored outside of your AWS account such as your corporate directory. You can have the following scenarios making use of roles:

• An IAM user having different AWS account as the role.
• An IAM user having similar AWS account as IAM role.
• AWS web service provided by AWS such as S3.
• Any user outside of your organization that is authenticated by any external identity provider service compatible with Security Assertion Markup Language (SAML) 2.0 or OpenID Connect or Compatible with any custom built identity broker.

Let us look at the steps to create a role using the AWS console. You can create roles by using the AWS CLI, AWS API, or tools for Windows PowerShell:

1. Navigate to the IAM dashboard from the AWS console.
2. Click on Roles in the navigation pane.
3. Click on the Create New Role button. On this screen, you can view, edit, and delete all roles available in your AWS account.
4. Select one of the 4 types of IAM roles available as mentioned in the next section.
5. Attach policies to this role and click on the Next Step button.

1. On the next screen, give a user friendly name to this role and optionally add a description.
2. You can also change policies on this screen.
3. Click on the Create Role button. It will create this new role.

There are the following four types of IAM roles available in AWS for various use cases: