The answer depends on the type of role. Vultr IAM has two role types, assignable and assumable, and each works differently in terms of who or what can hold it.
Assignable Roles
Assignable roles can be directly attached to following types of entities:
- Users — a role assigned directly to a user grants the user all the permissions bundled within the role for as long as the assignment exists.
- Service Users — a role assigned to a service user grants the permissions it needs to interact with Vultr resources programmatically by scripts and automated workloads, keeping machine access cleanly separated from human access.
- Groups — a role assigned to a group is automatically inherited by all current and future members of that group. This is the recommended pattern for managing access at scale. Assign the role once to the group and let membership drive access automatically.
Assumable Roles
Assumable roles are temporarily assumed by a trusted entity via a trust relationship defined on the role itself. When creating an assumable role, you define which entities are permitted to assume it and under what conditions. Vultr IAM supports three types of trusted entities:
- Organization User — allows a specific user within your organization to assume the role and perform actions under the permissions it grants.
- Organization Group — allows any member of a specific group within your organization to assume the role.
- OIDC Issuer — allows an external identity via an OpenID Connect provider to assume the role. This enables federation with external systems and CI/CD pipelines that authenticate via OIDC.
Assumption and Expiration
When configuring an assumable role you can control how it is assumed and for how long
the trust relationship remains valid.
Assumption mode:
- Automatically — the role is assumed when defined conditions are met, without requiring any action from the user.
- Manually — the user must explicitly assume the role themselves. When manual assumption is selected, you can explicitly configure a session window that determines how long each assumed session remains active. Session windows range from 15 minutes to 12 hours. Once the session window expires, the session is terminated and the user must assume the role again to start a new session.
Trust expiration:
The trust expiration date controls how long the trust relationship between the role and the trusted entity remains valid. Once the trust expires, the trusted entity can no longer assume the role regardless of assumption mode or session window. Trust expiration can be set to: 1 month, 3 months, 6 months, 1 year, 2 years, a custom date, or never expire.