Q: What is IAM role?

An IAM user is a kind of object identity with certain identity credentials, and it usually corresponds one-to-one to a certain person or an application. An IAM role is a virtual identity that is associated with a set of permission, without certain identity credentials, and it cannot be used until it is associated with a certain object identity. The IAM role is not associated with a specific user or group. Instead, the trusted entity can act as the role, such as IAM user, application or BCC and other services, etc.

Q: What problem can IAM role help solve?

The IAM role can enable you to assign the access permission to trusted entities with defined permission, without sharing a long-term access key. With the IAM role, you can assign the access permission to IAM user managed under your account, IAM user under other accounts and BCC and other services.

Q: How to act as IAM role?

You can act as IAM role by calling Security Token Service (STS) AssumeRole API (or called as AssumeRole, AssumeRoleWithWebIdentity and AssumeRoleWithSAML). These APIs returns a set of temporary security credentials that the application can then use these credentials to sign the requests to service AIP.

Q: How many can IAM roles be played?

There is no limit on the number of IAM roles that you can play, but when you submit a request to Baidu AI cloud, only one IAM role can be used.

Q: What are differences between an IAM role and an IAM user?

The IAM user has permanent credentials to interact with cloud service directly. The IAM role has no credentials, so it cannot propose service request directly. The IAM user must be played by an authorized entity, such as IAM user, application or BCC and other services.

Q: Is it supported to add an IAM role to an IAM group?

Currently, it isn't.

Q: How many IAM role can I create?

You can only create a maximum of 100 IAM roles for your account.

Q: Can I delete the role associated with the service? Yes. Before deleting the role, you must remove the authorization of the role. This step ensures that you do not accidentally delete the roles you need to run properly.