More about IAM roles in AWS

An IAM Role is a set of permissions that grant access to actions and resources in AWS.
These permissions are attached to the Role, not to an IAM user or Group. Instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it.
A role does not have standard long-term credentials (password or access keys) associated with it.
If a user assumes a role, temporary security credentials are created dynamically and provided to the user.

Interactively in the IAM console

IAM users in your account using the IAM console can switch to a role to temporarily use the permissions of the role in the console.
- The user gives up their original permission and takes on the permission assigned to the Role.
- When the user exists the Role, their original permission is restored.
Programmatically with the AWS CLI, Tools for Windows Powershell, or API.

An application or a service offered by AWS (like Amazon EC2) can assume a role by requesting temporary security credentials for a role with which to make programmatic requests to AWS.
You use a role this way so that you don't have to share or maintain long-term security credentials for each entity that requires access to a Resource.

Unlike a user-based policy, a resource-based policy specifies who can access that resource.
Cross-account access with a resource-based policy has an advantage over a role. With a resource that is accessed through a resource-based policy, the user still works in the trusted account and does not have to give up his or her user permissions in place of the role permissions.
In other words, the user continues to have access to resources in the trusted account at the same time as he or she has access to the resource from the trusting account.
This is useful for tasks such as copying information to or from the shared resource in the other account.
Please note that not all services support a Resource-based policy.

DevOps and Cloud Computing