Today, Amazon AppStream 2.0 enabled applying an AWS Identity and Access Management (IAM) Role to your image builder and fleet resources. With this launch, you can make AWS API calls from an image builder or fleet streaming instance without having to specify the access key or secret access key. For example, you can download an installer from Amazon S3, execute an AWS Lambda function, or upload logs to an S3 bucket within your account without storing credentials on the image. AppStream 2.0 manages the credentials for you, and periodically rotates them on your behalf. To get started, see Using an IAM Role to Grant Permission to Applications and Scripts Running on AppStream 2.0 Streaming Instances in the AppStream 2.0 Administration Guide.
from Recent Announcements https://aws.amazon.com/about-aws/whats-new/2019/09/amazon-appstream-2-enables-iam-role-support-for-image-builders-and-fleets/