diff --git a/attributes/default.rb b/attributes/default.rb
index 36fbd15..1536c8d 100644
--- a/attributes/default.rb
+++ b/attributes/default.rb
@@ -3,6 +3,7 @@
 default[:ebs][:creds][:aki] = "aws_access_key_id"
 default[:ebs][:creds][:sak] = "aws_secret_access_key"
 default[:ebs][:creds][:encrypted] = true
+default[:ebs][:creds][:iam_roles] = false
 default[:ebs][:volumes] = {}
 default[:ebs][:raids] = {}
 default[:ebs][:mdadm_chunk_size] = '256'
@@ -10,6 +11,7 @@
 default[:ebs][:initrd_md5] = ''
 
 
+
 if BlockDevice.on_kvm? && ebs[:devices]
   Chef::Log.info("Running on QEMU/KVM: Need to translate device names as KVM allocates them regardless of the given device ID")
   ebs_devices = {}
diff --git a/metadata.rb b/metadata.rb
index 2725a4e..400348e 100644
--- a/metadata.rb
+++ b/metadata.rb
@@ -11,5 +11,5 @@
 recipe "ebs::raids", "Mounts attached EBS RAIDs"
 recipe "ebs::persistent", "Mounts volumes defined in attributes"
 
-depends 'aws', '>= 0.101.0'
+depends 'aws', '>= 3.3.3'
 depends 'delayed_evaluator'
diff --git a/recipes/persistent.rb b/recipes/persistent.rb
index be15c14..2b222cb 100644
--- a/recipes/persistent.rb
+++ b/recipes/persistent.rb
@@ -6,7 +6,11 @@
 
 include_recipe "aws"
 # get aws credentials
-aws = data_bag_item(node['ebs']['creds']['databag'], node['ebs']['creds']['item'])
+if !node[:ebs][:creds][:iam_roles]
+  aws = data_bag_item(node['ebs']['creds']['databag'], node['ebs']['creds']['item'])
+else
+  aws = nil
+end
 
 devices = Dir.glob('/dev/xvd*')
 if devices.empty?
@@ -29,8 +33,8 @@
         next_mount.succ!
         Chef::Log.info("Attaching #{thisvol} to #{mount}")
         aws_ebs_volume mount do
-          aws_access_key aws['aws_access_key_id']
-          aws_secret_access_key aws['aws_secret_access_key']
+          aws_access_key aws['aws_access_key_id'] if aws
+          aws_secret_access_key aws['aws_secret_access_key'] if aws
           device mount
           volume_id thisvol
           action :nothing
diff --git a/recipes/raids.rb b/recipes/raids.rb
index 4963a58..85e9f61 100644
--- a/recipes/raids.rb
+++ b/recipes/raids.rb
@@ -28,12 +28,14 @@
       next_mount = next_mount.succ
 
       aws_ebs_volume mount do
-        aws_access_key credentials[node.ebs.creds.aki]
-        aws_secret_access_key credentials[node.ebs.creds.sak]
+        if !node[:ebs][:creds][:iam_roles]
+          aws_access_key credentials[node.ebs.creds.aki]
+          aws_secret_access_key credentials[node.ebs.creds.sak]
+        end
         size options[:disk_size]
         device mount
         availability_zone node[:ec2][:placement_availability_zone]
-        volume_type options[:piops] ? 'io1' : 'standard'
+        volume_type options[:piops] ? 'io1' : options[:gp2] ? 'gp2' : 'standard'
         piops options[:piops]
         action [ :create, :attach ]
       end
diff --git a/recipes/volumes.rb b/recipes/volumes.rb
index f990655..5ec794e 100644
--- a/recipes/volumes.rb
+++ b/recipes/volumes.rb
@@ -1,30 +1,46 @@
 node[:ebs][:volumes].each do |mount_point, options|
-  
+
   # skip volumes that already exist
   next if File.read('/etc/mtab').split("\n").any?{|line| line.match(" #{mount_point} ")}
-  
+
   # create ebs volume
-  if !options[:device] && options[:size]
+  if !options[:device]
     if node[:ebs][:creds][:encrypted]
       credentials = Chef::EncryptedDataBagItem.load(node[:ebs][:creds][:databag], node[:ebs][:creds][:item])
     else
-      credentials = data_bag_item node[:ebs][:creds][:databag], node[:ebs][:creds][:item]
+      if !node[:ebs][:creds][:iam_roles]
+        credentials = data_bag_item node[:ebs][:creds][:databag], node[:ebs][:creds][:item]
+      end
     end
 
     devices = Dir.glob('/dev/xvd?')
     devices = ['/dev/xvdf'] if devices.empty?
     devid = devices.sort.last[-1,1].succ
     device = "/dev/sd#{devid}"
+  else
+    devices = ["#{options[:device]}"]
+    devid = devices.sort.last[-1,1]
+  end
 
+  device = "/dev/sd#{devid}"
+
+  if options[:size]
     vol = aws_ebs_volume device do
-      aws_access_key credentials[node.ebs.creds.aki]
-      aws_secret_access_key credentials[node.ebs.creds.sak]
+      if !node[:ebs][:creds][:iam_roles]
+        aws_access_key credentials[node.ebs.creds.aki]
+        aws_secret_access_key credentials[node.ebs.creds.sak]
+      end
       size options[:size]
       device device
       availability_zone node[:ec2][:placement_availability_zone]
-      volume_type options[:piops] ? 'io1' : 'standard'
+      volume_type options[:piops] ? 'io1' : options[:gp2] ? 'gp2' : 'standard'
       piops options[:piops]
+      if node[:ebs][:volume][:encryption]
+        encrypted  true
+        kms_key_id node[:ebs][:volume][:kms_key_id]
+      end
       action :nothing
+      delete_on_termination options[:delete_on_termination]
     end
     vol.run_action(:create)
     vol.run_action(:attach)
@@ -57,6 +73,7 @@
     device device
     options 'noatime,nobootwait'
     action [:mount, :enable]
+    only_if { device and options.has_key?(:fstype) }
   end
 
 end