I've been playing around a bit with AWS Cloudfront, and this question came up for me: "What is the difference between OAI vs IAM 'users' on AWS"? What I'm really asking here is: "Why does OAI need to exist, and why can't IAM be used instead?"
I'm sure there must be some major difference and reason for this, but having two different types of 'user' really threw me when trying to debug an issue: ie that updating an S3 bucket policy automatically from Cloudfront meant that the OAI ID was put into the Policy, and I got it mixed up with the Cloudfront ID because they look so similar!
A CloudFront Origin Access Identity (OAI) is not an IAM user, nor can it be used as such. An OAI is simply an identity that can be assigned to a CloudFront distribution to be used to identify requests to an S3 origin. The S3 origin bucket can then use the OAI in a bucket policy to allow only request from a CloudFront distribution with that specific OAI.
An OAI cannot be assigned any other roles, policies or permissions and an IAM user cannot be assigned to a CloudFront distribution. The only reason an OAI exists is to allow better security of S3 origins for CloudFront distributions.
More information about OAI can be found on: Restricting access to Amazon S3 content by using an origin access identity (OAI) - Amazon CloudFront