IAM Roles for Services
3 min read
đ What is IAM?
IAM (Identity and Access Management) is AWSâs way of controlling who can do what in your AWS environment. IAM helps you manage access to AWS services and resources securely.
đ¤ What is an IAM Role?
An IAM Role is an AWS identity with a set of permissions (a permissions policy) but no username or password. It defines what actions are allowed or denied on specific resources.
Unlike IAM users, roles are not associated with a specific person or service â instead, they can be assumed temporarily by trusted entities, like:
AWS services (e.g., EC2, Lambda, ECS)
Other AWS accounts
Users/federated identities (SSO, Active Directory, etc.)
Two policy types
Trust Policy (Who can wear the badge) - This is the list of approved wearers. It says exactly which AWS service, user, or account is allowed to pick up and use the badge. For example: âOnly EC2 instances can assume this role.â
Permissions Policy (âWhat can they do with it?â) - This is the set of rules printed on the badge itself. It spells out what actions the badgeâholder is allowed to performâlike âread files from bucket Xâ or âwrite logs to CloudWatch.â
So:
Trust policy = whoâs allowed to grab the role.
Permissions policy = what theyâre allowed to do once they have it.
đ ď¸ Example: EC2 Instance Accessing S3
Problem:
You want an EC2 instance to read files from an S3 bucket, but you don't want to store or hardcode AWS access keys on the instance. Because:
Hardcoding AWS credentials is insecure.
If your EC2 instance gets compromised, your AWS Access Key and Secret Key could be stolen.
Itâs hard to rotate/expire hardcoded credentials.
Solution
Create an IAM Role with permissions to access S3 (e.g.,
s3:GetObject).Attach this role to your EC2 instance when you launch it (or later).
The EC2 instance will then assume the IAM Role automatically.
The instance can now securely call S3 APIs using temporary credentials provided by AWS.
â No need to store long-term credentials. AWS handles temporary credentials behind the scenes.
đ How IAM Roles for Services Work
You define a trust policy â who can assume the role (e.g.,
ec2.amazonaws.com,lambda.amazonaws.com).You define a permissions policy â what actions are allowed (e.g., access to S3, DynamoDB, etc.).
AWS automatically rotates and manages the temporary credentials for the service using the role.
Common Service-Role Types
| Role Type | Attached To | Typical Use-Case |
| Instance Profile | EC2 instance | Grant EC2 access to S3, SSM, CloudWatch, etc. |
| Lambda Execution Role | Lambda function | Allow Lambda to invoke other AWS services (DynamoDB, SQSâŚ). |
| Task Role | ECS task | ECS containers access AWS APIs without baking in keys. |
| Service-Linked Role | Managed by AWS service | AWSâcreated role with predefined trust & permissions (e.g., AWS Auto Scaling). Cannot be deleted unless the service is disabled. |