diff --git a/README.md b/README.md
index a0b868b..34c6eab 100644
--- a/README.md
+++ b/README.md
@@ -58,6 +58,22 @@ AWS_ACCESS_KEY_ID
 AWS_SECRET_ACCESS_KEY
 ```
 
+If `instanceProfile` parameter is passed, the aws-sdk will be initialised using the instance's profile and use them for your invalidation job. You will need to ensure that the instance role has enough privileges(cloudfront access).
+
+Then in the jobs options:
+```javascript
+grunt.initConfig({
+  cloudfront: {
+    options: {
+      region:'us-east-1', // your AWS region
+      distributionId:"YOUR_DISTRIBUTION_ID", // DistributionID where files are stored
+      instanceProfile: true,
+      listInvalidations:true,
+      listDistributions:false,
+      version:"1.0"
+    }
+  }
+```
 
 You can also store them in a git ignored credential file and pass them as options to the grunt job:
 
diff --git a/tasks/grunt-cloudfront.js b/tasks/grunt-cloudfront.js
index ae26e83..6ac2ec5 100644
--- a/tasks/grunt-cloudfront.js
+++ b/tasks/grunt-cloudfront.js
@@ -24,6 +24,8 @@ module.exports = function(grunt) {
 
     if (options.awsProfile){
       creds = new AWS.SharedIniFileCredentials({profile: options.awsProfile});
+    }else if(options.instanceProfile) {
+      creds = new AWS.EC2MetadataCredentials();
     }else {
       creds = {
         accessKeyId: (process.env.AWS_ACCESS_KEY_ID || options.credentials.accessKeyId),