Mastering AWS IAM Roles: Secure Access Without Sharing Credentials
saumya singh
Introduction
When working with AWS, secure access management is crucial. AWS IAM (Identity and Access Management) lets you manage who can do what in your AWS environment.
While IAM Users are for individuals and IAM Groups are for collections of users, IAM Roles are for granting temporary permissions to trusted entities without sharing credentials.
In this article, we’ll break down what IAM Roles are, how they differ from users, and walk through a step-by-step guide to creating and using one — with a diagram for clarity.
What is an IAM Role?
An IAM Role is an AWS identity that comes with specific permissions but does not have login credentials (username/password). Instead, it’s assumed by a trusted entity — which could be:
An AWS Service (like EC2, Lambda, S3)
An IAM User from your AWS account
An External AWS Account
An Application outside AWS
Once assumed, the role grants temporary security credentials (Access Key, Secret Key, Session Token).
When to Use IAM Roles
IAM Roles are ideal when:
You want EC2 to access S3 without storing keys in code.
You want a Lambda function to read/write DynamoDB.
You want cross-account access without sharing passwords.
You want temporary elevated permissions for a user.
IAM Role vs IAM User
| Feature | IAM User | IAM Role |
| Credentials | Permanent | Temporary |
| Assigned To | One specific person | AWS services, users, or accounts |
| Usage | Long-term access | Temporary tasks or service access |
Step-by-Step: Creating an IAM Role
Let’s create a role to allow an EC2 instance to access an S3 bucket.
Step 1: Open IAM Console
- Go to AWS Management Console → IAM → Roles → Create Role.
Step 2: Select Trusted Entity
- Choose AWS Service → EC2 → Next.
Step 3: Attach Permissions
Search for AmazonS3FullAccess and select it.
Click Next.
Step 4: Name the Role
Role Name:
EC2-S3-Access-RoleReview and Create Role.
Step 5: Attach Role to EC2
Go to EC2 Console → Select your instance → Actions → Security → Modify IAM Role.
Choose
EC2-S3-Access-Role.
Step 6: Test the Role
SSH into your EC2 instance.
Run:
aws s3 ls
You should see your S3 buckets without any access keys stored in your instance.
Diagram: How IAM Roles Work
[User/Service] → [Assume Role] → [Temporary Credentials] → [AWS Resources]
Here’s a visual representation:
[User/Service] → [Assume Role] → [Temporary Credentials] → [AWS Resources]
Best Practices
Grant least privilege: Only give required permissions.
Use roles instead of hardcoding credentials.
Rotate and monitor role usage with AWS CloudTrail.
Use Session Policies for even tighter control.
Conclusion
IAM Roles are an essential security tool in AWS. They allow services and applications to securely access resources without embedding permanent credentials.
By mastering IAM Roles, you ensure your AWS architecture remains secure, scalable, and manageable.
Subscribe to my newsletter
Read articles from saumya singh directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
saumya singh
saumya singh
Welcome to my corner of the cloud, where ideas scale faster than servers and downtime is not an option! Here, I write about everything from spinning up VPCs to tearing down myths about the cloud. Whether you’re an engineer, a curious learner, or someone who just likes seeing words like 'serverless' and 'auto-scaling,' you’re in the right place. Consider this blog your high-availability zone for tips, tutorials, and tech thoughts—delivered with 99.99% uptime .