The Core Difference

IAM Role — you switch identity. Your original permissions are paused.

Resource-Based Policy — you keep your identity. The other resource just opens its door for you.

Real Example — Why This Matters

You are in Account A. You need to do two things at the same time:

• Read DynamoDB in Account A
• Write to S3 in Account B

With IAM Role:

• You assume a role in Account B
• Your Account A permissions (DynamoDB) are now paused
• You can only do S3 — cannot do both at the same time

With Resource-Based Policy on S3 in Account B:

• Account B's S3 bucket adds your account to its allowed list
• You access S3 directly without switching identity
• You still have DynamoDB access in Account A
• Both work at the same time

Key rule: If you need to work in two accounts at the same time, use Resource-Based Policy — not a Role.