Expected behavior

A service is connected to a single IAM Role, no other services can assume that role.

Actual behavior

IAM Roles can only be distributed to an entire EC2 instance and hence to all services running on that instance

Additional Information

Found an old post in this forum about the same thing. Not sure if I should have replied there instead.

My questions is if my statements above are correct? Or is there a way to run several Docker swarm mode services on a single EC2 instance but distribute AWS IAM Role credentials in a manner similar to how it works for EC2 instances?

A more concrete example:
I have ten services on one EC2 instance. Only one needs access to read from an S3 bucket. Currently I have an IAM User that has rights to that bucket and I manually distribute that users credentials to the service via docker secrets.
Pros: only the service that needs has access
Cons: Manual, difficult to rotate, credentials can potentially be stolen

The alternative solution that I don’t use: Assign an IAM Role to the EC2 instance running the services. Pick up the credentials from the instance metadata, mount them to the container that needs access.
Pros: Can be automated, easy to rotate
Cons: The credentials are available to anyone on the EC2 instance. I haven’t investigated how it would work if I wanted ten different roles for ten different services.

Tips? Thoughts?