An identity you can create in IAM that has specific permissions. It's an AWS identity that is intended to be assumable by anyone (or anything) who needs it, rather than assigning it to a specific person.
Roles are the preferred option from a security perspective. They allow you to avoid hard-coding your access key IDs and secret access keys.
Roles are temporary, when you assume a role it provides you with temporary credentials for your session.
Policies control a role's permission, and when a policy attached to a role is updated it will take immediate effect.