How on earth does this solve the problem of hardcoded AWS API keys? Well, something really interesting happens when you assign a role to an EC2 instance. The metadata for that instance will return a set of short-lived API keys. You can retrieve these keys by sending an HTTP request to the metadata URL (this is a service EC2 instances can use to fetch information about themselves):
http://169.254.169.254/latest/meta-data/iam/security-credentials/<role name>
The output of a curl request to this URL will look something like this:
{ "Code" : "Success", "LastUpdated" : "2017-02-17T11:14:23Z", "Type" : "AWS-HMAC", "AccessKeyId" : "AAAAAAAAAAAAAAAAAAAA", "SecretAccessKey" : "zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz", "Token" ...