====== IAM Role ======

**What it is:** An AWS identity with permissions that can be **assumed** temporarily.

**What it’s for:**
  * Give permissions to AWS services (EC2, Lambda, ECS, EKS) securely.
  * Enable cross-account access without sharing long-term keys.
  * Use temporary credentials from [[aws:security:iam:sts|STS]].

**Key ideas:**
  * A role has 2 important parts:
    * **Permissions policy**: what actions are allowed.
    * **Trust policy**: who is allowed to assume the role.
  * Roles use *temporary credentials* /ˈtɛmpəˌrɛri krəˈdɛnʃəlz/ (thông tin tạm thời).

**Exam cues:**
  * “EC2 needs access to S3” → attach a Role to EC2 (via Instance Profile).
  * “EKS pod needs DynamoDB only” → use IRSA (Role per service account).

**Hard words:**
  * *assume* /əˈsuːm/: nhận/đảm nhiệm (nhận quyền tạm thời)
  * *trust policy* /trʌst ˈpɑːləsi/: chính sách tin cậy (ai được assume)
  * *temporary* /ˈtɛmpəˌrɛri/: tạm thời

**Child pages:**
  * [[aws:security:iam:assume-role|AssumeRole]]
  * [[aws:security:iam:trust-policy|Trust Policy]]