I am taking my experience from the Splunk Add on for AWS....
As you have stated it looks like your plugin allows it is assume a role via the instance profile, the ability to add additional roles to the plugin from the same AWS account would allow use to setup roles in other AWS accounts with cross account access which would enable access to the account without having to manage access keys and secrets.
Hope that helps.
Sure, to check the permissions to assume the role it should follow the current chain of authentication right? I mean, if the input has KEY+SECRET it should try to assume the role using them, if not, try it with the instance profile.
If this is correct, I can help with the implementation as soon some maintaineer appears by here to agree with this
@joschi What do you think?