A role is a named collection of permission policies that can be assigned to or assumed by a user, group, or service identity. Rather than attaching individual permission policies to every entity separately, you define a role once with the right policies and assign it wherever needed. This makes access management more consistent and easier to maintain at scale.
Vultr IAM supports two distinct types of roles, each designed for a different access pattern.
Types of Roles
- Assignable roles provide permanent access and are attached directly to users, groups, or service users. The assigned entity always acts with the permissions of the role for as long as the assignment exists. Use assignable roles for day-to-day permissions that users need continuously.
- Assumable roles provide temporary, elevated access through time-bound sessions. Rather than being directly assigned, they are assumed via a trust relationship defined on the role itself, which controls which users, groups, or external identities via OIDC are permitted to assume it. Assumable roles support IP restrictions and trust-based assumption. Once the session expires or the task is complete, the session is terminated and the elevated permissions are no longer active. The user must create a new session to assume the role again. Use assumable roles for privileged operations that require temporary elevation rather than permanent access.