Role Overview

Last updated: 2024-10-12 15:41:03

Role Overview

A role in CAM is a type of virtual user, distinct from entity users such as sub-accounts, collaborators, or message recipients. Similar to these users, a role can also be granted policies.
A role can be assumed by any Tencent Cloud account and is not exclusively associated with a specific account. Roles do not have associated long-term credentials (passwords or access keys). The primary account only needs to use long-term credentials when applying for a role. When a user assumes a role, a temporary credential is dynamically created and provided to the user for corresponding access. This allows the user to access their cloud resources by signing with a temporary key to call the open APIs of Tencent Cloud's basic services.

Use Cases

Entities that can apply to assume a role are referred to as role entities. Currently, Tencent Cloud role entities are divided into three categories: Tencent Cloud accounts, product services that support the role function, and identity providers. The corresponding scenarios are as follows:
You want to grant temporary resource access permissions to users in your account, or grant users in another Tencent Cloud primary account access to resources in your account.
You may need to grant Tencent Cloud product services access to your resources, but you may not want to embed long-term keys in the product services due to the security risks associated with key rotation difficulties and potential exposure from interception.
If your enterprise or organization already has its own account system and wishes to manage the use of Tencent Cloud resources by its members, Tencent Cloud supports the use of Identity Providers (IdP) so you don't have to create a CAM sub-user for each member within your Tencent Cloud account.