Role Overview

Last updated: 2019-04-17 12:01:58


A role is similar to a Tencent Cloud user, where you can see a role as a "virtual account" and give it permission policies that determine what it can or cannot do in Tencent Cloud. A role can be assumed by any Tencent Cloud account and is not exclusively associated with one single account. Although a primary account uses long-term credentials such as a password or access keys when creating a role, a role does not have long-term credentials associated with it. When you assume a role, you receive dynamic temporary security credentials to access resources via the role. Specifically, it allows you to use temporary keys and signatures to access to your cloud resources via open Tencent Cloud APIs.

An object that can apply to assume a role is called a role entity. Tencent Cloud supports two types of role entities: Tencent Cloud accounts and role-enabled Tencent Cloud services. A Tencent Cloud account use case could be when you may need to grant users in your account or another Tencent Cloud primary account temporary access to resources in your account. A role-enabled Tencent Cloud service use case could be when you may need to allow a Tencent Cloud product service access to your resources but you don't want to create a persistent key for that product service to access, as that may create security issues due to difficulty in key rotation, resulting in credential leakage.