What it is: An AWS identity with permissions that can be assumed temporarily.

What it’s for:

• Give permissions to AWS services (EC2, Lambda, ECS, EKS) securely.
• Enable cross-account access without sharing long-term keys.
• Use temporary credentials from STS.

Key ideas:

• A role has 2 important parts:
  • Permissions policy: what actions are allowed.
  • Trust policy: who is allowed to assume the role.
• Roles use *temporary credentials* /ˈtɛmpəˌrɛri krəˈdɛnʃəlz/ (thông tin tạm thời).

Exam cues:

• “EC2 needs access to S3” → attach a Role to EC2 (via Instance Profile).
• “EKS pod needs DynamoDB only” → use IRSA (Role per service account).

Hard words:

• *assume* /əˈsuːm/: nhận/đảm nhiệm (nhận quyền tạm thời)
• *trust policy* /trʌst ˈpɑːləsi/: chính sách tin cậy (ai được assume)
• *temporary* /ˈtɛmpəˌrɛri/: tạm thời

Child pages:

• AssumeRole
• Trust Policy