# Authentication Access to Amazon Backup or the Amazon services that you are backing up requires credentials that Amazon can use to authenticate your requests. You can access Amazon as any of the following types of identities: + **Amazon Web Services account root user** – When you sign up for Amazon, you provide an email address and password that is associated with your Amazon account. This is your *Amazon Web Services account root user*. Its credentials provide complete access to all of your Amazon resources. **Important** For security reasons, we recommend that you use the root user only to create an *administrator*. The administrator is an *IAM user* with full permissions to your Amazon Web Services account. You can then use this admin user to create other IAM users and roles with limited permissions. For more information, see [IAM Best Practices](https://docs.amazonaws.cn/IAM/latest/UserGuide/best-practices.html#create-iam-users) and [Creating Your First IAM Admin User and Group](https://docs.amazonaws.cn/IAM/latest/UserGuide/getting-started_create-admin-group.html) in the *IAM User Guide*. + **IAM user** – An [IAM user](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_users.html) is an identity within your Amazon Web Services account that has specific custom permissions (for example, permissions to create a backup vault to store your backups in). You can use an IAM user name and password to sign in to secure Amazon webpages like the [Amazon Web Services Management Console](https://console.amazonaws.cn/), [Amazon Discussion Forums](https://forums.aws.csdn.net/), or the [Amazon Web Services Support Center](https://console.amazonaws.cn/support/home#/). In addition to a user name and password, you can also generate [access keys](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_access-keys.html) for each user. You can use these keys when you access Amazon services programmatically, either through [one of the several SDKs](http://www.amazonaws.cn/developer/tools/) or by using the [Amazon Command Line Interface (Amazon CLI)](http://www.amazonaws.cn/cli/). The SDK and Amazon CLI tools use the access keys to cryptographically sign your request. If you don't use the Amazon tools, you must sign the request yourself. For more information about authenticating requests, see [Signature Version 4 Signing Process](https://docs.amazonaws.cn/general/latest/gr/signature-version-4.html) in the *Amazon Web Services General Reference*. + **IAM role** – An [IAM role](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles.html) is another IAM identity that you can create in your account that has specific permissions. It is similar to an IAM user, but it is not associated with a specific person. An IAM role enables you to obtain temporary access keys that can be used to access Amazon services and resources. IAM roles with temporary credentials are useful in the following situations: + Federated user access – Instead of creating an IAM user, you can use pre-existing user identities from Amazon Directory Service, your enterprise user directory, or a web identity provider. These are known as *federated users*. Amazon assigns a role to a federated user when access is requested through an [identity provider](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_providers.html). For more information about federated users, see [Federated Users and Roles](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_access-management.html#intro-access-roles) in the *IAM User Guide*. + Cross-account administration – You can use an IAM role in your account to grant another Amazon Web Services account permissions to administer your account's resources. For an example, see [Tutorial: Delegate Access Across Amazon Web Services accounts Using IAM Roles](https://docs.amazonaws.cn/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html) in the *IAM User Guide*. + Amazon service access – You can use an IAM role in your account to grant an Amazon service permissions to access your account's resources. For more information, see [Creating a Role to Delegate Permissions to an Amazon Service](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *IAM User Guide*. + Applications running on Amazon Elastic Compute Cloud (Amazon EC2) – You can use an IAM role to manage temporary credentials for applications running on an Amazon EC2 instance and making Amazon API requests. This is preferable to storing access keys within the EC2 instance. To assign an Amazon role to an EC2 instance and make it available to all of its applications, you create an instance profile that is attached to the instance. An instance profile contains the role and enables programs running on the EC2 instance to get temporary credentials. For more information, see [Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html) in the *IAM User Guide*.