在ElasticBeanstalk上使用带有NodeJS的EC2凭据

I have a small NodeJS app on ElasticBeanstalk and this communicate with S3 and DynamoDB. Currently I set the access and secret key as environment variable and use them to update the aws.config object. Is this the best practise? It is possible to generate or use credentials based on the service role, so I not need anymore to set credentials into environment variables? So for what I have the service role when I must use credentials from an user to access any service like DynamoDB or S3.I have a small NodeJS app on ElasticBeanstalk a