--- title: How to Create a Role Trust url: https://docs.vultr.com/platform/iam/roles/role-trusts/how-to-create-a-role-trust description: Create a role trust in Vultr IAM to define who can assume a specific role. Configure trust relationships for users, groups, organizations, or OIDC issuers. publish_date: 2026-03-24T19:52:23.624006Z last_updated: 2026-06-01T20:41:31.848673Z --- A role trust defines who is allowed to assume a specific role and under what conditions. Before creating a role trust, you must first create an assumable role. The trust relationship links the role to a trusted entity — a user, a group, or an OIDC issuer — and can include conditions such as IP restrictions, time-of-day limits, and an expiration date. There are three trust types: * **TemporaryAssumption**: The trusted entity must explicitly call the assume-role endpoint to activate the role. The created session becomes the principal. * **IAMAssumption**: The role is assumed automatically through OIDC inline validation. The actual platform user remains the principal. * **FederatedAssumption**: The role is assumed automatically through OIDC inline validation. The role itself determines the principal, not a platform user. Follow this guide to create a role trust using the Vultr Console, the Vultr API, or Terraform. === "Vultr Console" A role trust is created as part of the assumable role creation flow. 1. Log in to the [Vultr Console](https://console.vultr.com). 1. Click the organization name in the top navigation bar. 1. Click **Manage Organization**. 1. Click the **Roles** tab. 1. Click the **+** button to add a new role. 1. Select **Assumable Role**. 1. Enter a **Name** and optional **Description** for the role. 1. Under **Trusted Entity**, select the entity type (User, Group, or OIDC Issuer) and choose the specific entity from the dropdown. 1. Configure the assumption schedule: * **Always assumable**: No time restrictions. * **Assumable at specific times of the day**: Restrict assumption to a specific time window by setting start and end times with a timezone for granular control. * **Assumable on specific days of the week**: Select the allowed days of the week. * **Assumable on specific days of the week, at specific times of the day**: Combine day and time restrictions for the most granular control. 1. (Optional) Under **IP Access Restrictions**, enter one or more allowed IP addresses (IPv4 or IPv6) to restrict role assumption to specific source IPs. 1. In the **Permission Policies** section, search for and select the policies to attach. 1. Click **Add Role**. The assumable role is created with the trust relationship configured. To view the trust details, click the role name and expand the **Role Trust** section. === "Vultr API" 1. Send a `GET` request to the [**List Roles** endpoint](https://www.vultr.com/api/#tag/iam/operation/list-iam-roles) to retrieve all roles in your organization. ```console $ curl "https://api.vultr.com/v2/roles" \ -X GET \ -H "Authorization: Bearer ${VULTR_API_KEY}" ``` Note the `id` of the assumable role for which you want to create a trust. 1. Identify the trusted entity. You need either a `user_id`, `group_id`, or `oidc_issuer_id` depending on who should be allowed to assume the role. 1. Send a `POST` request to the [**Create Role Trust** endpoint](https://www.vultr.com/api/#tag/iam/operation/create-iam-role-trust) to create the trust relationship. Replace `ROLE-ID` with the assumable role id and `USER-ID` with the trusted user id. Use `trusted_group_id` or `trusted_oidc_issuer_id` instead of `trusted_user_id` if trusting a group or OIDC issuer. Adjust the `conditions` and `valid_until` fields as needed. Add allowed source IPs to the `ip_address` array to restrict role assumption to specific IPv4 or IPv6 addresses. Leave the array empty to allow all IPs. ```console $ curl "https://api.vultr.com/v2/role-trusts" \ -X POST \ -H "Authorization: Bearer ${VULTR_API_KEY}" \ -H "Content-Type: application/json" \ -d '{ "role_id": "ROLE-ID", "trust_type": "IAMAssumption", "trusted_user_id": "USER-ID", "conditions": { "time_of_day": { "timezone": "utc", "days_of_week": ["monday", "tuesday", "wednesday", "thursday", "friday"] }, "ip_address": ["203.0.113.10", "2001:db8::1"] }, "valid_until": "2026-06-20T03:59:59+00:00" }' ``` A successful request returns an HTTP `201 Created` response. Note the `id` of the role trust for future operations. 1. Send a `GET` request to the [**Read Role Trust** endpoint](https://www.vultr.com/api/#tag/iam/operation/get-iam-role-trust) to retrieve the trust details. Replace `{role-trust-id}` with the id returned from the creation request. ```console $ curl "https://api.vultr.com/v2/role-trusts/{role-trust-id}" \ -X GET \ -H "Authorization: Bearer ${VULTR_API_KEY}" ``` The response contains the resource details. === "Terraform" > [!NOTE] > `FederatedAssumption` trusts cannot be created via Terraform. The provider has no field for `oidc_issuer_id`. Use the Vultr Console or API to create federated role trusts. 1. Ensure the [Vultr Terraform provider](https://registry.terraform.io/providers/vultr/vultr/latest/docs) is configured in your Terraform project. 1. Define the role trust resource. To trust a specific user: ```hcl resource "vultr_organization_role_trust" "my_role_trust" { role = vultr_organization_role.my_role.id user = vultr_user.new_user.id type = "TemporaryAssumption" hour_start = 9 hour_end = 17 ip_range = ["10.0.0.0/8"] date_expires = "2026-12-31T05:00:00+00:00" } ``` To trust a group instead of a specific user, replace `user` with `group`: ```hcl resource "vultr_organization_role_trust" "my_role_trust" { role = vultr_organization_role.my_role.id group = vultr_organization_group.my_group.id type = "TemporaryAssumption" hour_start = 9 hour_end = 17 ip_range = ["10.0.0.0/8"] date_expires = "2026-12-31T05:00:00+00:00" } ``` The `role`, `user`, and `group` fields are immutable. Changing any of them destroys and recreates the trust. 1. Apply the configuration. ```console $ terraform apply ``` Verify that the output shows `vultr_organization_role_trust.my_role_trust: Creation complete`.