diff --git a/data/data/aws/bootstrap/main.tf b/data/data/aws/bootstrap/main.tf
index defcf71635c..89dacb91a92 100644
--- a/data/data/aws/bootstrap/main.tf
+++ b/data/data/aws/bootstrap/main.tf
@@ -46,10 +46,12 @@ resource "aws_s3_bucket_object" "ignition" {
 resource "aws_iam_instance_profile" "bootstrap" {
   name = "${var.cluster_id}-bootstrap-profile"
 
-  role = aws_iam_role.bootstrap.name
+  role = var.iam_role_name != "" ? var.iam_role_name : aws_iam_role.bootstrap[0].name
 }
 
 resource "aws_iam_role" "bootstrap" {
+  count = var.iam_role_name == "" ? 1 : 0
+
   name = "${var.cluster_id}-bootstrap-role"
   path = "/"
 
@@ -78,8 +80,9 @@ EOF
 }
 
 resource "aws_iam_role_policy" "bootstrap" {
+  count = var.iam_role_name == "" ? 1 : 0
   name = "${var.cluster_id}-bootstrap-policy"
-  role = aws_iam_role.bootstrap.id
+  role = aws_iam_role.bootstrap[0].id
 
   policy = <<EOF
 {
@@ -103,7 +106,6 @@ resource "aws_iam_role_policy" "bootstrap" {
   ]
 }
 EOF
-
 }
 
 resource "aws_instance" "bootstrap" {
diff --git a/data/data/aws/bootstrap/variables.tf b/data/data/aws/bootstrap/variables.tf
index 346979da4e0..aa45c85bb15 100644
--- a/data/data/aws/bootstrap/variables.tf
+++ b/data/data/aws/bootstrap/variables.tf
@@ -96,3 +96,8 @@ variable "publish_strategy" {
   type = string
   description = "The publishing strategy for endpoints like load balancers"
 }
+
+variable "iam_role_name" {
+  type = string
+  description = "The name of the existing role to use for the instance profile"
+}
diff --git a/data/data/aws/iam/main.tf b/data/data/aws/iam/main.tf
index f4368c4d5a8..1b349af5d29 100644
--- a/data/data/aws/iam/main.tf
+++ b/data/data/aws/iam/main.tf
@@ -7,12 +7,13 @@ data "aws_partition" "current" {}
 resource "aws_iam_instance_profile" "worker" {
   name = "${var.cluster_id}-worker-profile"
 
-  role = aws_iam_role.worker_role.name
+  role = var.worker_iam_role_name != "" ? var.worker_iam_role_name : aws_iam_role.worker_role[0].name
 }
 
 resource "aws_iam_role" "worker_role" {
-  name = "${var.cluster_id}-worker-role"
-  path = "/"
+  count = var.worker_iam_role_name == "" ? 1 : 0
+  name  = "${var.cluster_id}-worker-role"
+  path  = "/"
 
   assume_role_policy = <<EOF
 {
@@ -46,8 +47,9 @@ resource "aws_iam_role_policy" "worker_policy" {
   // clusters.
   // Please see: docs/dev/aws/iam_permissions.md
 
+  count = var.worker_iam_role_name == "" ? 1 : 0
   name = "${var.cluster_id}-worker-policy"
-  role = aws_iam_role.worker_role.id
+  role = aws_iam_role.worker_role[0].id
 
   policy = <<EOF
 {
diff --git a/data/data/aws/iam/variables.tf b/data/data/aws/iam/variables.tf
index 8f45376176e..afbd256ab7e 100644
--- a/data/data/aws/iam/variables.tf
+++ b/data/data/aws/iam/variables.tf
@@ -8,3 +8,7 @@ variable "tags" {
   description = "AWS tags to be applied to created resources."
 }
 
+variable "worker_iam_role_name" {
+  type        = string
+  description = "The name of the existing role to use for the instance profile for workers"
+}
diff --git a/data/data/aws/main.tf b/data/data/aws/main.tf
index 0ae8824dfde..6db04c0f6c5 100644
--- a/data/data/aws/main.tf
+++ b/data/data/aws/main.tf
@@ -40,6 +40,7 @@ module "bootstrap" {
   vpc_security_group_ids   = [module.vpc.master_sg_id]
   volume_kms_key_id        = var.aws_master_root_volume_kms_key_id
   publish_strategy         = var.aws_publish_strategy
+  iam_role_name            = var.aws_master_iam_role_name
 
   tags = local.tags
 }
@@ -66,12 +67,14 @@ module "masters" {
   ec2_ami                  = var.aws_region == var.aws_ami_region ? var.aws_ami : aws_ami_copy.imported[0].id
   user_data_ign            = var.ignition_master
   publish_strategy         = var.aws_publish_strategy
+  iam_role_name            = var.aws_master_iam_role_name
 }
 
 module "iam" {
   source = "./iam"
 
-  cluster_id = var.cluster_id
+  cluster_id           = var.cluster_id
+  worker_iam_role_name = var.aws_worker_iam_role_name
 
   tags = local.tags
 }
diff --git a/data/data/aws/master/main.tf b/data/data/aws/master/main.tf
index 750f23d1af3..f106e88c254 100644
--- a/data/data/aws/master/main.tf
+++ b/data/data/aws/master/main.tf
@@ -12,10 +12,11 @@ data "aws_ebs_default_kms_key" "current" {}
 resource "aws_iam_instance_profile" "master" {
   name = "${var.cluster_id}-master-profile"
 
-  role = aws_iam_role.master_role.name
+  role = var.iam_role_name != "" ? var.iam_role_name : aws_iam_role.master_role[0].name
 }
 
 resource "aws_iam_role" "master_role" {
+  count       = var.iam_role_name == "" ? 1 : 0
   name        = "${var.cluster_id}-master-role"
   path        = "/"
   description = local.description
@@ -52,8 +53,9 @@ resource "aws_iam_role_policy" "master_policy" {
   // clusters.
   // Please see: docs/dev/aws/iam_permissions.md
 
+  count = var.iam_role_name == "" ? 1 : 0
   name = "${var.cluster_id}-master-policy"
-  role = aws_iam_role.master_role.id
+  role = aws_iam_role.master_role[0].id
 
   policy = <<EOF
 {
diff --git a/data/data/aws/master/variables.tf b/data/data/aws/master/variables.tf
index a18f3cd899b..27495d83aa9 100644
--- a/data/data/aws/master/variables.tf
+++ b/data/data/aws/master/variables.tf
@@ -90,3 +90,8 @@ and therefore are force to implicitly assume that the list is of aws_lb_target_g
 helps to decide if the target_group_arns is of length (target_group_arns_length) or (target_group_arns_length - 1)
 EOF
 }
+
+variable "iam_role_name" {
+  type = string
+  description = "The name of the existing role to use for the instance profile"
+}
diff --git a/data/data/aws/variables-aws.tf b/data/data/aws/variables-aws.tf
index 09ef2499ae9..a7e50cb4eed 100644
--- a/data/data/aws/variables-aws.tf
+++ b/data/data/aws/variables-aws.tf
@@ -148,3 +148,15 @@ The stub Ignition config that should be used to boot the bootstrap instance. Thi
 specified in aws_ignition_bucket.
 EOF
 }
+
+variable "aws_master_iam_role_name" {
+  type = string
+  description = "The name of the IAM role that will be attached to master instances."
+  default = ""
+}
+
+variable "aws_worker_iam_role_name" {
+  type = string
+  description = "The name of the IAM role that will be attached to worker instances."
+  default = ""
+}
\ No newline at end of file
diff --git a/data/data/install.openshift.io_installconfigs.yaml b/data/data/install.openshift.io_installconfigs.yaml
index de13ea571f9..a59101171cf 100644
--- a/data/data/install.openshift.io_installconfigs.yaml
+++ b/data/data/install.openshift.io_installconfigs.yaml
@@ -86,6 +86,11 @@ spec:
                             the ec2 instance. If set, the AMI should belong to the
                             same region as the cluster.
                           type: string
+                        iamRole:
+                          description: IAMRole is the name of the IAM Role to use
+                            for the instance profile of the machine. Leave unset to
+                            have the installer create the IAM Role on your behalf.
+                          type: string
                         rootVolume:
                           description: EC2RootVolume defines the root volume for EC2
                             instances in the machine pool.
@@ -439,6 +444,11 @@ spec:
                           the ec2 instance. If set, the AMI should belong to the same
                           region as the cluster.
                         type: string
+                      iamRole:
+                        description: IAMRole is the name of the IAM Role to use for
+                          the instance profile of the machine. Leave unset to have
+                          the installer create the IAM Role on your behalf.
+                        type: string
                       rootVolume:
                         description: EC2RootVolume defines the root volume for EC2
                           instances in the machine pool.
@@ -921,6 +931,11 @@ spec:
                           the ec2 instance. If set, the AMI should belong to the same
                           region as the cluster.
                         type: string
+                      iamRole:
+                        description: IAMRole is the name of the IAM Role to use for
+                          the instance profile of the machine. Leave unset to have
+                          the installer create the IAM Role on your behalf.
+                        type: string
                       rootVolume:
                         description: EC2RootVolume defines the root volume for EC2
                           instances in the machine pool.
diff --git a/pkg/asset/cluster/aws/aws.go b/pkg/asset/cluster/aws/aws.go
index b441707b9f4..2507cd19535 100644
--- a/pkg/asset/cluster/aws/aws.go
+++ b/pkg/asset/cluster/aws/aws.go
@@ -7,6 +7,8 @@ import (
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/ec2"
+	"github.com/aws/aws-sdk-go/service/iam"
+	"github.com/pkg/errors"
 
 	"github.com/openshift/installer/pkg/asset/installconfig"
 	"github.com/openshift/installer/pkg/types"
@@ -29,6 +31,19 @@ func Metadata(clusterID, infraID string, config *types.InstallConfig) *awstypes.
 // PreTerraform performs any infrastructure initialization which must
 // happen before Terraform creates the remaining infrastructure.
 func PreTerraform(ctx context.Context, clusterID string, installConfig *installconfig.InstallConfig) error {
+
+	if err := tagSubnetEC2Instances(ctx, clusterID, installConfig); err != nil {
+		return err
+	}
+
+	if err := tagIamRoles(ctx, clusterID, installConfig); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func tagSubnetEC2Instances(ctx context.Context, clusterID string, installConfig *installconfig.InstallConfig) error {
 	if len(installConfig.Config.Platform.AWS.Subnets) == 0 {
 		return nil
 	}
@@ -56,21 +71,57 @@ func PreTerraform(ctx context.Context, clusterID string, installConfig *installc
 	if err != nil {
 		return err
 	}
+	key, value := sharedTag(clusterID)
+	ec2Tags := []*ec2.Tag{{Key: &key, Value: &value}}
+	ec2Client := ec2.New(session, aws.NewConfig().WithRegion(installConfig.Config.Platform.AWS.Region))
 
-	tags := []*ec2.Tag{
-		{
-			Key:   aws.String(fmt.Sprintf("kubernetes.io/cluster/%s", clusterID)),
-			Value: aws.String("shared"),
-		},
-	}
-	client := ec2.New(session, aws.NewConfig().WithRegion(installConfig.Config.Platform.AWS.Region))
-
-	if _, err = client.CreateTagsWithContext(ctx, &ec2.CreateTagsInput{
+	if _, err = ec2Client.CreateTagsWithContext(ctx, &ec2.CreateTagsInput{
 		Resources: ids,
-		Tags:      tags,
+		Tags:      ec2Tags,
 	}); err != nil {
 		return err
 	}
 
 	return nil
 }
+
+func tagIamRoles(ctx context.Context, clusterID string, installConfig *installconfig.InstallConfig) error {
+	workerMachinePool := installConfig.Config.WorkerMachinePool()
+
+	var iamRoleNames []*string
+
+	if installConfig.Config.ControlPlane.Platform.AWS.IAMRole != "" {
+		iamRoleNames = append(iamRoleNames, &installConfig.Config.ControlPlane.Platform.AWS.IAMRole)
+	}
+
+	if workerMachinePool.Platform.AWS.IAMRole != "" {
+		iamRoleNames = append(iamRoleNames, &workerMachinePool.Platform.AWS.IAMRole)
+	}
+
+	if len(iamRoleNames) == 0 {
+		return nil
+	}
+
+	session, err := installConfig.AWS.Session(ctx)
+	if err != nil {
+		return err
+	}
+	key, value := sharedTag(clusterID)
+	iamTags := []*iam.Tag{{Key: &key, Value: &value}}
+	iamClient := iam.New(session, aws.NewConfig().WithRegion(installConfig.Config.Platform.AWS.Region))
+
+	for _, iamRoleName := range iamRoleNames {
+		if _, err := iamClient.TagRoleWithContext(ctx, &iam.TagRoleInput{
+			RoleName: iamRoleName,
+			Tags:     iamTags,
+		}); err != nil {
+			return errors.Wrapf(err, "could not tag %s role", *iamRoleName)
+		}
+	}
+
+	return nil
+}
+
+func sharedTag(clusterID string) (string, string) {
+	return fmt.Sprintf("kubernetes.io/cluster/%s", clusterID), "shared"
+}
diff --git a/pkg/asset/cluster/tfvars.go b/pkg/asset/cluster/tfvars.go
index e50b4a312aa..611267d3e14 100644
--- a/pkg/asset/cluster/tfvars.go
+++ b/pkg/asset/cluster/tfvars.go
@@ -234,6 +234,18 @@ func (t *TerraformVariables) Generate(parents asset.Parents) error {
 		if len(osImage) == 2 {
 			osImageRegion = osImage[1]
 		}
+
+		workerMachinePool := installConfig.Config.WorkerMachinePool()
+		workerIAMRoleName := ""
+		if workerMachinePool.Platform.AWS != nil {
+			workerIAMRoleName = workerMachinePool.Platform.AWS.IAMRole
+		}
+
+		masterIAMRoleName := ""
+		if installConfig.Config.ControlPlane.Platform.AWS != nil {
+			masterIAMRoleName = installConfig.Config.ControlPlane.Platform.AWS.IAMRole
+		}
+
 		data, err := awstfvars.TFVars(awstfvars.TFVarsSources{
 			VPC:                   vpc,
 			PrivateSubnets:        privateSubnets,
@@ -247,6 +259,8 @@ func (t *TerraformVariables) Generate(parents asset.Parents) error {
 			IgnitionBucket:        bucket,
 			IgnitionPresignedURL:  url,
 			AdditionalTrustBundle: installConfig.Config.AdditionalTrustBundle,
+			MasterIAMRoleName:     masterIAMRoleName,
+			WorkerIAMRoleName:     workerIAMRoleName,
 		})
 		if err != nil {
 			return errors.Wrapf(err, "failed to get %s Terraform variables", platform)
diff --git a/pkg/explain/printer_test.go b/pkg/explain/printer_test.go
index 7dca14cee03..96dc509b637 100644
--- a/pkg/explain/printer_test.go
+++ b/pkg/explain/printer_test.go
@@ -217,7 +217,7 @@ VERSION:  v1
 
 RESOURCE: <object>
   InstallConfig is the configuration for an OpenShift install.
-`,
+		`,
 	}, {
 		path: []string{"publish"},
 		desc: `
@@ -226,7 +226,7 @@ VERSION:  v1
 
 RESOURCE: <string>
   Publish controls how the user facing endpoints of the cluster like the Kubernetes API, OpenShift routes etc. are exposed. When no strategy is specified, the strategy is "External".
-`,
+		`,
 	}, {
 		path: []string{"platform"},
 		desc: `
@@ -235,7 +235,7 @@ VERSION:  v1
 
 RESOURCE: <object>
   Platform is the configuration for the specific platform upon which to perform the installation.
-`,
+		`,
 	}, {
 		path: []string{"platform", "aws"},
 		desc: `
@@ -244,7 +244,7 @@ VERSION:  v1
 
 RESOURCE: <object>
   AWS is the configuration used when installing on AWS.
-`,
+		`,
 	}, {
 		path: []string{"platform", "azure"},
 		desc: `
@@ -252,8 +252,8 @@ KIND:     InstallConfig
 VERSION:  v1
 
 RESOURCE: <object>
-  Azure is the configuration used when installing on Azure.    
-`,
+  Azure is the configuration used when installing on Azure.
+		`,
 	}, {
 		path: []string{"platform", "aws", "region"},
 		desc: `
@@ -261,8 +261,8 @@ KIND:     InstallConfig
 VERSION:  v1
 
 RESOURCE: <string>
-  Region specifies the AWS region where the cluster will be created.    
-`,
+  Region specifies the AWS region where the cluster will be created.
+		`,
 	}, {
 		path: []string{"platform", "aws", "subnets"},
 		desc: `
@@ -270,8 +270,8 @@ KIND:     InstallConfig
 VERSION:  v1
 
 RESOURCE: <[]string>
-  Subnets specifies existing subnets (by ID) where cluster resources will be created.  Leave unset to have the installer create subnets in a new VPC on your behalf.    
-`,
+  Subnets specifies existing subnets (by ID) where cluster resources will be created.  Leave unset to have the installer create subnets in a new VPC on your behalf.
+		`,
 	}, {
 		path: []string{"platform", "aws", "userTags"},
 		desc: `
@@ -279,8 +279,8 @@ KIND:     InstallConfig
 VERSION:  v1
 
 RESOURCE: <object>
-  UserTags additional keys and values that the installer will add as tags to all resources that it creates. Resources created by the cluster itself may not include these tags.    
-`,
+  UserTags additional keys and values that the installer will add as tags to all resources that it creates. Resources created by the cluster itself may not include these tags.
+		`,
 	}, {
 		path: []string{"platform", "aws", "serviceEndpoints"},
 		desc: `
@@ -288,8 +288,8 @@ KIND:     InstallConfig
 VERSION:  v1
 
 RESOURCE: <[]object>
-  ServiceEndpoints list contains custom endpoints which will override default service endpoint of AWS Services. There must be only one ServiceEndpoint for a service.    
-`,
+  ServiceEndpoints list contains custom endpoints which will override default service endpoint of AWS Services. There must be only one ServiceEndpoint for a service.
+		`,
 	}, {
 		path: []string{"platform", "aws", "serviceEndpoints", "url"},
 		desc: `
@@ -298,7 +298,34 @@ VERSION:  v1
 
 RESOURCE: <string>
   URL is fully qualified URI with scheme https, that overrides the default generated endpoint for a client. This must be provided and cannot be empty.
-`,
+		`,
+	}, {
+		path: []string{"compute", "platform", "aws", "iamRole"},
+		desc: `
+KIND:     InstallConfig
+VERSION:  v1
+
+RESOURCE: <string>
+  IAMRole is the name of the IAM Role to use for the instance profile of the machine. Leave unset to have the installer create the IAM Role on your behalf.
+	`,
+	}, {
+		path: []string{"controlPlane", "platform", "aws", "iamRole"},
+		desc: `
+KIND:     InstallConfig
+VERSION:  v1
+
+RESOURCE: <string>
+  IAMRole is the name of the IAM Role to use for the instance profile of the machine. Leave unset to have the installer create the IAM Role on your behalf.
+	`,
+	}, {
+		path: []string{"platform", "aws", "defaultMachinePlatform", "iamRole"},
+		desc: `
+KIND:     InstallConfig
+VERSION:  v1
+
+RESOURCE: <string>
+  IAMRole is the name of the IAM Role to use for the instance profile of the machine. Leave unset to have the installer create the IAM Role on your behalf.
+	`,
 	}}
 	for _, test := range cases {
 		t.Run("", func(t *testing.T) {
diff --git a/pkg/tfvars/aws/aws.go b/pkg/tfvars/aws/aws.go
index 16ed20cea12..01b7194120d 100644
--- a/pkg/tfvars/aws/aws.go
+++ b/pkg/tfvars/aws/aws.go
@@ -36,6 +36,8 @@ type config struct {
 	SkipRegionCheck         bool              `json:"aws_skip_region_validation"`
 	IgnitionBucket          string            `json:"aws_ignition_bucket"`
 	BootstrapIgnitionStub   string            `json:"aws_bootstrap_stub_ignition"`
+	MasterIAMRoleName       string            `json:"aws_master_iam_role_name,omitempty"`
+	WorkerIAMRoleName       string            `json:"aws_worker_iam_role_name,omitempty"`
 }
 
 // TFVarsSources contains the parameters to be converted into Terraform variables
@@ -53,6 +55,8 @@ type TFVarsSources struct {
 	IgnitionBucket, IgnitionPresignedURL string
 
 	AdditionalTrustBundle string
+
+	MasterIAMRoleName, WorkerIAMRoleName string
 }
 
 // TFVars generates AWS-specific Terraform variables launching the cluster.
@@ -123,6 +127,8 @@ func TFVars(sources TFVarsSources) ([]byte, error) {
 		PublishStrategy:         string(sources.Publish),
 		SkipRegionCheck:         !configaws.IsKnownRegion(masterConfig.Placement.Region),
 		IgnitionBucket:          sources.IgnitionBucket,
+		MasterIAMRoleName:       sources.MasterIAMRoleName,
+		WorkerIAMRoleName:       sources.WorkerIAMRoleName,
 	}
 
 	stubIgn, err := generateIgnitionShim(sources.IgnitionPresignedURL, sources.AdditionalTrustBundle)
diff --git a/pkg/types/aws/machinepool.go b/pkg/types/aws/machinepool.go
index 353e44f173c..ef597a67bbf 100644
--- a/pkg/types/aws/machinepool.go
+++ b/pkg/types/aws/machinepool.go
@@ -24,6 +24,11 @@ type MachinePool struct {
 	//
 	// +optional
 	EC2RootVolume `json:"rootVolume"`
+
+	// IAMRole is the name of the IAM Role to use for the instance profile of the machine.
+	// Leave unset to have the installer create the IAM Role on your behalf.
+	// +optional
+	IAMRole string `json:"iamRole,omitempty"`
 }
 
 // Set sets the values from `required` to `a`.
@@ -56,6 +61,10 @@ func (a *MachinePool) Set(required *MachinePool) {
 	if required.EC2RootVolume.KMSKeyARN != "" {
 		a.EC2RootVolume.KMSKeyARN = required.EC2RootVolume.KMSKeyARN
 	}
+
+	if required.IAMRole != "" {
+		a.IAMRole = required.IAMRole
+	}
 }
 
 // EC2RootVolume defines the storage for an ec2 instance.
diff --git a/pkg/types/installconfig.go b/pkg/types/installconfig.go
index c4bde27fe42..4a7dc88b5e1 100644
--- a/pkg/types/installconfig.go
+++ b/pkg/types/installconfig.go
@@ -22,7 +22,8 @@ const (
 	// InstallConfigVersion is the version supported by this package.
 	// If you bump this, you must also update the list of convertable values in
 	// pkg/types/conversion/installconfig.go
-	InstallConfigVersion = "v1"
+	InstallConfigVersion  = "v1"
+	workerMachinePoolName = "worker"
 )
 
 var (
@@ -351,3 +352,14 @@ type BootstrapInPlace struct {
 	// InstallationDisk is the target disk drive for coreos-installer
 	InstallationDisk string `json:"installationDisk"`
 }
+
+// WorkerMachinePool retrieves the worker MachinePool from InstallConfig.Compute
+func (c *InstallConfig) WorkerMachinePool() *MachinePool {
+	for _, machinePool := range c.Compute {
+		if machinePool.Name == workerMachinePoolName {
+			return &machinePool
+		}
+	}
+
+	return nil
+}