An IAM role (hereafter referred to as role) is a virtual identity that, like the user identity, can be associated with permissions to operate on resources, but it does not have a defined identity authentication key and needs to be played by a trusted entity user for proper use.

You can use the role as the bridge to provide access permission to the users, applications or services that need to access to your cloud account resources. For example, you can grant temporary access to your account resources to users, applications or services of other cloud accounts to achieve cross-account access to resources, or grant temporary access to certain sensitive resources to the IAM users in your account.

This document describes the concept of roles, working principle as well as how to use roles to meet the day-to-day demands of account and resource management, etc.