Last updated：2021-10-29 17:57:34
An Identity and Access Management (IAM) role is a virtual IAM identity with permission policies that determine what the identity can do and cannot do.
|An IAM role is an identity to which a set of policies are attached. However, an IAM role does not have a login password or an AccessKey. After a trusted entity user assumes an IAM role, the entity user obtains the Security Token Service (STS) token of the IAM role, with which the entity user can access authorized resources as the role.
|The KRN of a role is the globally unique resource identifier of the role. Role KRNs follow the KRN naming conventions of Kingsoft Cloud. For example, a KRN can be krn:ksc:iam::200**52:role/rolename. After you create a role, you can click the role name and find its KRN on the Role details** page.
|A trusted entity is an entity user who can assume a role. When you create a role, you must specify a trusted entity. A role can be assumed only by a trusted entity. A trusted entity can be a Kingsoft Cloud account, a Kingsoft Cloud service, or an identity provider (IdP).
|A policy is a set of permissions. One or more policies can be attached to a role. Roles without policies can exist, but cannot access Kingsoft Cloud resources.
|Role assuming is the method for an entity user to obtain the STS token of a role. An entity user can call the AssumeRole STS API operation to obtain the STS token of a role. Then, the entity user can use the STS token to call API operations of Kingsoft Cloud services.
|Identity switching is the method for an entity user to switch from the login identity to a role identity in the IAM console. After an entity user logs in to the IAM console, the entity user can switch to a role that the entity user can assume. Then, the entity user can use the role to manage Kingsoft Cloud resources. After the management operations are completed, the entity user can switch back to the login identity.
|A role token is a temporary AccessKey for a role. A role does not have a specific AccessKey. If an entity user wants to use a role, the entity user must assume the role to obtain the corresponding role token. Then, the entity user can use the role token to call API operations of Kingsoft Cloud services.
|The role assumed by Kingsoft Cloud accounts and their IAM users. The IAM users who assume this type of role can belong to their own Kingsoft Cloud accounts or other Kingsoft Cloud accounts.
|This type of role is used for cross-account access and temporary authorization.
|The role assumed by Kingsoft Cloud services.
|This type of role is used to authorize cross-service access.
|The role assumed by users of an IdP.
|This type of role is used for single sign-on (SSO) between an IdP and Kingsoft Cloud.