IAM Roles are defined as a set of permissions that grant access to actions and resources in AWS. An IAM Role can be used by or assumed by IAM User accounts or by services within AWS, and can give access to Users from another account altogether. IAM Roles are similar to wearing different hats in that they temporarily let an IAM User or a service get permissions to do things they would not normally get to do. These permissions are attached to the Role itself, and are conveyed to anyone or anything that assumes the role. Also, Roles have credentials that can be used to authenticate the Role identity.
You can assign either a pre-built policy or create a custom policy. A policy is something that will be assigned to a role. Admins of the customer environment create an IAM Policy with a constrained set of access, and then assigns that policy to a new Role, specifically assigned to the provider’s Account ID and External ID. When done, the resulting IAM Role is given a specific Amazon Resource Name (ARN), which is a unique string that identifies the role.