EC2 IAM Role should be a VM setting rather than image setting
Setting the IAM role as an attribute of the "image" means that you can only have "one" role. If you want to separate your "staging" from your "production" roles (for example), you have to use a different AMI because you cannot have two images with the same AMI. Also, you cannot "set" the value at host creation time. You can only chose an OS image, which has it attached, which is fairly limiting.
.. this may involve "instance profiles" -- http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html
#4 Updated by Tommy McNeely about 3 years ago
I was asked to clarify this request. It has been a couple years since I filed it, but here is my best recollection...
We have a customer using IAM Roles, which assign dynamic IAM credentials to machines rather than having to manually create credentials and copy and paste them into a configuration.
The IAM Role setting is currently configured at the image level, which means where you associate the os version to the ami-xxxxxxxx ID. This setting needs to be configurable at the instance level instead of image level. I don't have a problem with being able to set a "default" IAM role at the image level, for a shop with low security requirements, but we cannot have the same role assigned to all instances.