IAM users, roles, and policies

Every AWS permission question comes down to three nouns. A user is a person with credentials, a role is an identity something assumes temporarily, and a policy is the JSON that grants the permissions. Get these three straight and the rest of IAM follows.