IAM Role

What it is: An AWS identity with permissions that can be assumed temporarily.

What it’s for:

Give permissions to AWS services (EC2, Lambda, ECS, EKS) securely.
Enable cross-account access without sharing long-term keys.
Use temporary credentials from STS.

Key ideas:

A role has 2 important parts:
- Permissions policy: what actions are allowed.
- Trust policy: who is allowed to assume the role.
Roles use *temporary credentials* /ˈtɛmpəˌrɛri krəˈdɛnʃəlz/ (thông tin tạm thời).

Exam cues:

“EC2 needs access to S3” → attach a Role to EC2 (via Instance Profile).
“EKS pod needs DynamoDB only” → use IRSA (Role per service account).

Hard words:

*assume* /əˈsuːm/: nhận/đảm nhiệm (nhận quyền tạm thời)
*trust policy* /trʌst ˈpɑːləsi/: chính sách tin cậy (ai được assume)
*temporary* /ˈtɛmpəˌrɛri/: tạm thời

Child pages: