IAM User vs IAM Role in AWS

IAM User vs IAM Role in AWS

When should you use IAM roles?

Honestly, I was confused like hell, even felt a bit stupid since this concept seems to be clicking for everyone.

When do I use IAM User and when do I use IAM Role in AWS?

I ended up researching, making notes, and I'd like to share that in this article. I hope it helps others who may be confused and were in the same position as I was.

IAM User

An IAM User is like its own user, you could think of it as an employee in a coffee shop.

The owner of the coffee shop would be the root user/account you created, and an IAM User would be the employee. An employee wouldn't and shouldn't be allowed to do the things the owner can do, otherwise, things can go very wrong, if it is either because the employee turns evil or does something wrongly due to their lack of knowledge. Also, all employees shouldn't be allowed to do the same things unless they have the same responsibilities within the coffee shop.

It has a name and its own credentials. By default, it is given no permissions. You can attach permissions to the IAM User using either the root user or an IAM User that has permission to grant permission to other IAM User. The permissions are given to an IAM User

Typically if a person is working alone in an account, it fits to create an IAM user. If you need multiple IAM Users with the same permissions, you can create a group of IAM Users, and then grant permissions to the group which will be the ones used for the IAM Users.

IAM Role

You should use IAM roles to grant access to your AWS accounts by relying on short-term credentials. The credentials with roles are temporary. Roles are just a set of permissions that can be given to different services, and you don't need access keys.

Let's say a user has to do an action, but we know for sure the user won't do it often, then the user can assume a role, giving them the permissions for that action for a short time. This is more secure than attaching the permissions directly to the user's access keys, which would be permanent, and that isn't necessary if the user does a particular action from time to time and not continuously.

Going back to the example of the coffee shop. Let's say we have keys that employees aren't allowed to access except for certain times:

An example of this would be an employee whose job is to serve the customers, and not make the coffees, who starts their day by opening the coffee shop with another employee whose job is to make coffees. Now, one day the other employee doesn't come, because they were unexpectedly taken to the hospital, the employee whose job is to serve the customers then must take on the role to make the coffees. Because we've been prepared for such situations, we have keys store to start the coffee machines which the employee can use today as they take on the job to also make the coffees.

I hope the example above isn't too confusing, but yeah, I like using the coffee shop as an example.

When to use each?

At the moment, I think of it as:

  • Do I've multiple users or a single user that needs to do an action or access a resource from time to time but not continuously? -> Use IAM Roles for this.

  • Do I've a single user that is primarily focused on working on something constantly, i.e. working with S3 every day to do actions? -> Use an IAM User for this.

  • Do I've multiple users that are primarily focused on working on the same things constantly -> Create a group of IAM Users. Note: Here we wouldn't want the users to share accounts because that'd lead to conflicts during work.


The topic can be confusing, especially when people are talking about both at the same time, it sort of mixes like a smoothie.

In the end, it isn't too complex.