The difference between an AWS role and an instance profile

Breaking down AWS IAM

There are two key parts of any authentication system, not just IAM:

• Who am I?
• What am I permitted to do?

When you create an IAM user, those two questions are mixed into a single principle: the IAM user has both properties. It has credentials in which someone can “be” the user, and it has permissions attached to allow the user to perform actions.

Roles are simply “what can I do?”

They provide a mechanism to define a collection of permissions. You assign Managed Policies and inline policies to the role to give it permissions to act. But it, in and of itself, isn’t a particular person or thing. It does not define “who am I?”

Roles are designed to be “assumed” by other principals which do define “who am I?”, such as users, Amazon services, and EC2 instances.

An instance profile, on the other hand, defines “who am I?” Just like an IAM user represents a person, an instance profile represents EC2 instances. The only permissions an EC2 instance profile has is the power to…