You wouldn't assign an IAM user to an application, typically you use an IAM Role.
To understand the difference, let us go through IAM basic knowledge
IAM controls: Who (authentication) can do What (authorization) **in your AWS account**. Authentication(who) with IAM is done with users/groups and roles whereas authorization(what) is done by policies.
Here the term
- User - End user think about people - Groups- a set of users under one set of permission(policies)
- Roles - are used to grant specific permission to specific actors for a set of duration of time. These actors can be **authenticated by AWS or some trusted external system.**
User and roles use policies for authorization. Keep in mind that user and role can't do anything until you allow certain actions with a policy.
Answer the following questions and you will differentiate between a user and a role:
- Can have a password? Yes-> user, No-> role - Can have an access key? Yes-> user, No-> role - Can belong to a group? Yes-> user, No -> role - Can be associated with AWS resources (for example EC2 instances)? No-> user, Yes->role
AWS supports 3 Role Types for different scenarios
- AWS service roles (for example: EC2, Lambda, Redshift,...) - Cross-Account Access: granting permissions to users from other AWS account, whether you control those account or not. - Identity Provider Access: granting permissions to users authenticated by a trusted external system. AWS supports two kinds of identity federation: - Web-based identity such as Facebook, Goolge- IAM support ingeration via OpenID Connect - SAML 2.0 identity such as Active Directory, LDAP.
To understand what role is, you need to read its use case, I don't want to reinvent the wheel so please read the following AWS documents: https://aws.amazon.com/blogs/security/how-to-use-a-single-iam-user-to-easily-access-all-your-accounts-by-using-the-aws-cli/
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
Hope it helps.

To understand the difference, let us go through IAM basic knowledge
IAM controls: Who (authentication) can do What (authorization) **in your AWS account**. Authentication(who) with IAM is done with users/groups and roles whereas authorization(what) is done by policies.
Here the term
- User - End user think about people - Groups- a set of users under one set of permission(policies)
- Roles - are used to grant specific permission to specific actors for a set of duration of time. These actors can be **authenticated by AWS or some trusted external system.**
User and roles use policies for authorization. Keep in mind that user and role can't do anything until you allow certain actions with a policy.
Answer the following questions and you will differentiate between a user and a role:
- Can have a password? Yes-> user, No-> role - Can have an access key? Yes-> user, No-> role - Can belong to a group? Yes-> user, No -> role - Can be associated with AWS resources (for example EC2 instances)? No-> user, Yes->role
AWS supports 3 Role Types for different scenarios
- AWS service roles (for example: EC2, Lambda, Redshift,...) - Cross-Account Access: granting permissions to users from other AWS account, whether you control those account or not. - Identity Provider Access: granting permissions to users authenticated by a trusted external system. AWS supports two kinds of identity federation: - Web-based identity such as Facebook, Goolge- IAM support ingeration via OpenID Connect - SAML 2.0 identity such as Active Directory, LDAP.
To understand what role is, you need to read its use case, I don't want to reinvent the wheel so please read the following AWS documents: https://aws.amazon.com/blogs/security/how-to-use-a-single-iam-user-to-easily-access-all-your-accounts-by-using-the-aws-cli/
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
Hope it helps.