Iam roles defines whether an AWS service can access another AWS service. For example, it can define whether an ec2 instance or a lambda function can access S3 or SNS or other services. It can also provide read only or full access to the required service.
To allow a lambda function to access S3 bucket, a role needs to be setup first to allow access. To create a role, open AWS console, and then go to IAM from the services section. Then click Roles from the left menu.
Then, click on the "Create new Role" from the top options.
Then from the "Aws Service Roles" section, select Lambda and then click "Select".
On the next screen, a long list of options are available to select from, Filter the list by typing in "amazons3". This is only show available policies for the S3 related policies.
Click on "Next Step" where the name and description of the role can be defined. The policies can be viewed and edited as well.
Then click on "Create role" to create the role. Once the role has been created it can be immediately used from the lambda function.
Note that an IAM role can have a maximum of 10 policies as of writing this page and the role can be modified after creation. For example, previously once an ec2 instance was created the role had to be associated during launch and further roles could not be added or removed. One of the ways to fix this was to relaunch the ec2 instance with the correct role. The other way to workaround the problem was to modify the role with the required policies. However, this may not be a feasible solution if the role is attached to other ec2 instances where different policies are required.