An enabling feature of the Amazon, Google, and other cloud APIs is that IAM roles can be ascribed and inherited by devices. This makes it possible for a Device provisioned through UserData to provision more devices (including storage or networking) or activate other related API features.
While these devices may be provisioned with a token allowing for such behaviors, that token must then be maintained. IAM roles (default service accounts) allow for chosen devices to have true robot access to authorized actions of the API. These devices do not need further API tokens grants, revocation, or rotation. The identity of the node is known to the API service and it can therefor authorize the machine to make API calls, acting with the roles afforded that machine's service account.