diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst
index e0e29ee63..e0f8b581c 100644
--- a/doc/source/configuration.rst
+++ b/doc/source/configuration.rst
@@ -1685,6 +1685,8 @@ section of the configuration.
                - name: debian9
                  cloud-image: debian9
                  instance-type: t3.medium
+                 iam-instance-profile:
+                   arn: arn:aws:iam::123456789012:instance-profile/s3-read-only
                  key-name: zuul
                  tags:
                    key1: value1
@@ -1911,6 +1913,22 @@ section of the configuration.
 
               Name of the flavor to use.
 
+           .. attr:: iam-instance-profile
+              :type: dict
+
+              Used to attach an iam instance profile.
+              Useful for giving access to services without needing any secrets.
+
+              .. attr:: name
+
+                 Name of the instance profile.
+                 Mutually exclusive with :attr:`providers.[aws].pools.labels.iam-instance-profile.arn`
+
+              .. attr:: arn
+
+                 ARN identifier of the profile.
+                 Mutually exclusive with :attr:`providers.[aws].pools.labels.iam-instance-profile.name`
+
            .. attr:: key-name
               :type: string
               :required:
diff --git a/nodepool/driver/aws/config.py b/nodepool/driver/aws/config.py
index d1c4fe5f2..cb586fe8e 100644
--- a/nodepool/driver/aws/config.py
+++ b/nodepool/driver/aws/config.py
@@ -58,6 +58,7 @@ class ProviderLabel(ConfigValue):
         self.volume_size = None
         self.volume_type = None
         self.userdata = None
+        self.iam_instance_profile = None
         # The ProviderPool object that owns this label.
         self.pool = None
         self.tags = None
@@ -74,6 +75,7 @@ class ProviderLabel(ConfigValue):
                     and other.volume_size == self.volume_size
                     and other.volume_type == self.volume_type
                     and other.userdata == self.userdata
+                    and other.iam_instance_profile == self.iam_instance_profile
                     and other.tags == self.tags)
         return False
 
@@ -131,6 +133,7 @@ class ProviderPool(ConfigPool):
             pl.volume_type = label.get('volume-type')
             pl.volume_size = label.get('volume-size')
             pl.userdata = label.get('userdata', None)
+            pl.iam_instance_profile = label.get('iam-instance-profile', None)
             pl.tags = [
                 {
                     "Key": k,
@@ -243,6 +246,10 @@ class AwsProviderConfig(ProviderConfig):
             'volume-type': str,
             'volume-size': int,
             'userdata': str,
+            'iam-instance-profile': {
+                v.Exclusive('name', 'iam_instance_profile_id'): str,
+                v.Exclusive('arn', 'iam_instance_profile_id'): str
+            },
             'tags': dict,
         }
 
diff --git a/nodepool/driver/aws/provider.py b/nodepool/driver/aws/provider.py
index 95a1c7aad..4a19222b1 100644
--- a/nodepool/driver/aws/provider.py
+++ b/nodepool/driver/aws/provider.py
@@ -193,6 +193,16 @@ class AwsProvider(Provider):
         if label.userdata:
             args['UserData'] = label.userdata
 
+        if label.iam_instance_profile:
+            if 'name' in label.iam_instance_profile:
+                args['IamInstanceProfile'] = {
+                    'Name': label.iam_instance_profile['name']
+                }
+            elif 'arn' in label.iam_instance_profile:
+                args['IamInstanceProfile'] = {
+                    'Arn': label.iam_instance_profile['arn']
+                }
+
         # Default block device mapping parameters are embedded in AMIs.
         # We might need to supply our own mapping before lauching the instance.
         # We basically want to make sure DeleteOnTermination is true and be
diff --git a/nodepool/tests/fixtures/aws.yaml b/nodepool/tests/fixtures/aws.yaml
index 376c230d9..2088026ea 100644
--- a/nodepool/tests/fixtures/aws.yaml
+++ b/nodepool/tests/fixtures/aws.yaml
@@ -13,6 +13,8 @@ labels:
   - name: ubuntu1404-non-host-key-checking
   - name: ubuntu1404-private-ip
   - name: ubuntu1404-userdata
+  - name: ubuntu1404-iam-instance-profile-name
+  - name: ubuntu1404-iam-instance-profile-arn
   - name: ubuntu1404-with-tags
   - name: ubuntu1404-with-name-tag
 
@@ -93,6 +95,18 @@ providers:
             instance-type: t3.medium
             key-name: zuul
             userdata: fake-user-data
+          - name: ubuntu1404-iam-instance-profile-name
+            cloud-image: ubuntu1404
+            instance-type: t3.medium
+            key-name: zuul
+            iam-instance-profile:
+              name: not-a-real-profile
+          - name: ubuntu1404-iam-instance-profile-arn
+            cloud-image: ubuntu1404
+            instance-type: t3.medium
+            key-name: zuul
+            iam-instance-profile:
+              arn: arn:aws:iam::123456789012:instance-profile/not-a-real-profile
       - name: non-host-key-checking
         max-servers: 1
         subnet-id: null
diff --git a/nodepool/tests/unit/test_driver_aws.py b/nodepool/tests/unit/test_driver_aws.py
index d1b28bac7..511e4d49f 100644
--- a/nodepool/tests/unit/test_driver_aws.py
+++ b/nodepool/tests/unit/test_driver_aws.py
@@ -221,6 +221,14 @@ class TestDriverAws(tests.DBTestCase):
         self._test_ec2_machine('ubuntu1404-userdata',
                                userdata=True)
 
+    # Note(avass): moto does not yet support attaching an instance profile
+    # but these two at least tests to make sure that the instances 'starts'
+    def test_ec2_machine_iam_instance_profile_name(self):
+        self._test_ec2_machine('ubuntu1404-iam-instance-profile-name')
+
+    def test_ec2_machine_iam_instance_profile_arn(self):
+        self._test_ec2_machine('ubuntu1404-iam-instance-profile-arn')
+
     def test_ec2_machine_private_ip(self):
         self._test_ec2_machine('ubuntu1404-private-ip',
                                public_ip=False)