Context: In the ‘Using Roles’ lesson under EC2. If roles exist to prevent hard coding creds/access, why would you want a role to disappear? Am I missing something simple?
1 Answers
I think what is meant by this is that the credentials that a role provides are temporary, unlike credentials that you generate through IAM. To use a role, something assumes the role (ie, a user or service). When assumed, the role provides credentials that are a temporary. The role itself (as it exists in IAM) is as permanent as other structures in IAM. … They are used so that the access that is permitted is not tied directly to accounts/resources that may change, but to the roles, which are then assumed by users/services.
Note: I’ve updated this answer because I made the mistake of answering before reminding myself of the terminology used in the exam. I originally took issue with the notion that using roles prevents hard-coding access keys, but I was mistaken. I knew better, but still presented mistakenly. Roles do prevent hard-coding access keys. The confusion for me was that I’ve seen role names themselves being hard-coded (into source code). I’m not sure that hard-coding into source-code like that is ever a sustainable approach.