Role

You can create the IAM identity with specific permission created in the cloud account of Baidu AI Cloud. The role is similar to the IAM user, which is a cloud identity of Baidu AI Cloud, and can be granted with permission to Allow or to Deny the access to specific resources. The difference is that, the role is a kind of virtual identity, without certain identity credentials (password or key), and you cannot log in to the console directly or directly user API to access the resources in Baidu AI Cloud. Only when a role is substituted by a trusted object identity can the authorized resources be accessed by providing temporary security credentials for the role session.

The role can be substituted by the following types of user:

• The IAM role in the same account as the role.
• The IAM role that is not in the same account as the role.
• Web service or product provided by Baidu AI Cloud.
• External users provided by identity providers that is compatible with SAML 2.0.

Role Carrier

Refer to the object that can undertake the role permission. Define the role carrier to add and manage the specific roles in the trusted policy, so as to Allow or Deny these role carriers to access your resources in Baidu AI Cloud. Currently, the objects supporting to become role carrier can be root and IAM user, role or group.

Switch (Substitute in) Role

Refer to the operation that a role carrier switches from its own user space to an authorized role space. Once a user has been granted the permission STSAssumeRoleAccess, the user can switch from its own user space and the role space, but can only switch to the only role space, and after the user switches to the target role space, the user only has the permission of target role currently. Currently, only roles can be switched through API, and please refer to the Use Role for detailed operation.