What’s the difference between an IAM User and an IAM Role in AWS?

The key differences between IAM Users and IAM Roles are:

1. Association: An IAM User is uniquely associated with a single person or application, while an IAM Role is designed to be assumable by anyone who needs it (users, applications, or services).

2. Credentials: IAM Users have permanent, long-term credentials such as passwords and access keys. IAM Roles provide temporary security credentials that are valid only for a role session.

3. Use cases:

• Use IAM Users when you have specific use cases that require long-term credentials (though AWS recommends rotating access keys regularly).
• Use IAM Roles for temporary access scenarios such as federated user access, cross-account access, or for AWS services to perform actions on your behalf.

As a best practice, AWS recommends using temporary credentials (IAM Roles) whenever possible instead of creating IAM Users with long-term credentials. IAM Roles are particularly useful for delegation, allowing entities that don't normally have access to your AWS resources to obtain temporary permissions.

For example, if you need to grant access to multiple users with similar permissions, you could create an IAM Role with those permissions and have users assume that role when needed, rather than creating individual IAM Users and managing their credentials.
Sources
Compare IAM identities and credentials - AWS Identity and Access Management
When do I use IAM? - AWS Identity and Access Management
IAM roles - AWS Identity and Access Management
AWS Identity and Access Management for AWS Security Hub - AWS Security Hub