IAM roles are similar to users, in that they can have a policy attached to them, but they can be attached by anyone who needs access in a trusted entity. In that way, you can delegate access to users, applications, or services without having to give them a new AWS key, as they could use the temporary security tokens through this trusted entity. For example, you could grant a third-party read access to an S3 bucket and nothing else within your AWS environment without actually having to share any keys and purely using the roles: