IAM users can sign in to the AWS Management Console for interactive tasks and to make programmatic requests to AWS services using the API or CLI. A user in AWS consists of a name, a password to sign into the AWS Management Console, and up to two access keys that can be used with the API or CLI. An IAM user may be included in a group that has appropriate permission policies attached or by directly attaching policies to the user. You can also clone the permissions of an existing IAM user.

An IAM role is an identity with permission policies that determine what the identity can and cannot do in AWS. An IAM role does not have any password or access keys associated with it. An IAM role is intended to be assumable by anyone Instead of being associated with one individual. An IAM role can be assigned to a federated user who signs in by using an external identity provider instead of IAM.

When we should create an IAM user, not a role

You are the only person who works in your account.

It's possible to work with AWS using the root user credentials for your AWS account, though this is not recommend by AWS. Instead, we can create an IAM user for yourself and use the credentials for that user when you work with AWS Management Console. 

Your group members need to work in your AWS account, and the group is not using any other identity mechanism.

IAM user account can be created for each individual, who needs access to your AWS resources. Then we need to assign appropriate permissions to each user, and provide each user his or her own credentials.

When we need to create an IAM role, not a user

We create an IAM role and attach to the EC2 instance to give temporary security credentials to applications running on the instance. When an application uses these credentials, all of the operations that are allowed by the policies attached to the role can be performed.