What do you mean by IAM role? Give one example of IAM role.

 

An IAM role is an IAM identity you can create in your account that has specific permissions. An IAM role is similar to an IAM user because it is also an AWS identity that you can attach permissions policies to, and those permissions determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, the role provides you with temporary security credentials for your role session.

You can use roles to delegate access to users, applications, or services that do not normally have access to your AWS resources. For example, you might want to grant users in your AWS account access to resources they don't usually have, or grant users in one AWS account access to resources in another account. Or you might want to allow a mobile app to use AWS resources, but you do not want to embed AWS keys within the app (where the keys can be difficult to rotate and where users can potentially extract them and misuse them). Also, sometimes you may want to grant AWS access to users who already have identities that are defined outside of AWS, such as in your corporate directory. Or, you might want to grant access to your account to third parties so that they can perform an audit on your resources. For all of these example use cases, IAM roles are an essential component to implementing the cloud deployment.

Example:

In the diagram, a developer runs an application on an EC2 instance that requires access to the S3 bucket that is named photos. An administrator creates the IAM role and attaches the role to the EC2 instance. The role includes a permissions policy that grants read-only access to the specified S3 bucket. It also includes a trust policy that allows the EC2 instance to assume the role and retrieve the temporary credentials. When the application runs on the instance, it can use the role's temporary credentials to access the photos bucket. The administrator does not need to grant the application developer permission to access the photos bucket, and the developer never needs to share or manage credentials.