diff --git a/modules/aws/iam/main.tf b/modules/aws/iam/main.tf
new file mode 100644
index 00000000000..e825f331afd
--- /dev/null
+++ b/modules/aws/iam/main.tf
@@ -0,0 +1,80 @@
+locals {
+  arn = "aws"
+}
+
+resource "aws_iam_instance_profile" "worker" {
+  name = "${var.cluster_name}-worker-profile"
+
+  role = "${var.worker_iam_role == "" ?
+    join("|", aws_iam_role.worker_role.*.name) :
+    join("|", data.aws_iam_role.worker_role.*.name)
+  }"
+}
+
+data "aws_iam_role" "worker_role" {
+  count = "${var.worker_iam_role == "" ? 0 : 1}"
+  name  = "${var.worker_iam_role}"
+}
+
+resource "aws_iam_role" "worker_role" {
+  count = "${var.worker_iam_role == "" ? 1 : 0}"
+  name  = "${var.cluster_name}-worker-role"
+  path  = "/"
+
+  assume_role_policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": "sts:AssumeRole",
+            "Principal": {
+                "Service": "ec2.amazonaws.com"
+            },
+            "Effect": "Allow",
+            "Sid": ""
+        }
+    ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "worker_policy" {
+  count = "${var.worker_iam_role == "" ? 1 : 0}"
+  name  = "${var.cluster_name}_worker_policy"
+  role  = "${aws_iam_role.worker_role.id}"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "ec2:Describe*",
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": "ec2:AttachVolume",
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": "ec2:DetachVolume",
+      "Resource": "*"
+    },
+    {
+      "Action": "elasticloadbalancing:*",
+      "Resource": "*",
+      "Effect": "Allow"
+    },
+    {
+      "Action" : [
+        "s3:GetObject"
+      ],
+      "Resource": "arn:${local.arn}:s3:::*",
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}
diff --git a/modules/aws/iam/variables.tf b/modules/aws/iam/variables.tf
new file mode 100644
index 00000000000..35972d48025
--- /dev/null
+++ b/modules/aws/iam/variables.tf
@@ -0,0 +1,5 @@
+variable "worker_iam_role" {
+  type        = "string"
+  default     = ""
+  description = "IAM role to use for the instance profiles of worker nodes."
+}
diff --git a/steps/infra/aws/main.tf b/steps/infra/aws/main.tf
index 7dfa160ad9a..e1522c55535 100644
--- a/steps/infra/aws/main.tf
+++ b/steps/infra/aws/main.tf
@@ -41,6 +41,12 @@ module "masters" {
   user_data_igns      = "${var.tectonic_ignition_masters}"
 }
 
+module "iam" {
+  source = "../../../modules/aws/iam"
+
+  worker_iam_role  = "${var.tectonic_aws_worker_iam_role_name}"
+}
+
 module "dns" {
   source = "../../../modules/dns/route53"