Similar to a Tencent Cloud user, a role is a "virtual account" that can be associated with policies which determine what it can or cannot do in Tencent Cloud. A role can be assumed by any Tencent Cloud account and is not exclusively associated with one single account. Although a root account uses persistent credentials such as a password or access keys when creating a role, a role does not have persistent credentials associated with it. When you assume a role, temporary credentials are created for you to access related resources. Specifically, you can use temporary keys to call open TencentCloud APIs in order to access your Tencent Cloud resources.
A role entity is an object that can be allowed to assume a role. Tencent Cloud supports two types of role entities: Tencent Cloud accounts and role-enabled Tencent Cloud services. If you need to grant users in your account or another Tencent Cloud root account temporary access to your resources, you can use a Tencent Cloud account as the role entity. If you need to grant a Tencent Cloud service access to your resources, you can use a role-enabled Tencent Cloud service as the role entity. In this way, you do not need to create a persistent key for any service, avoiding the security risks caused by difficulty in key rotation and possible credential leakage.