In VMware Cloud on AWS (VMC), when a user is logged into vCenter Server, they are not running as the Administrator role like you might in an on-prem vSphere environment but rather a restrictive vCenter role called CloudAdmin. The reason for this is that VMware is responsible for managing the infrastructure, including the management software and we want to make sure customers do not accidentally make changes that could affect those operations. More importantly, with VMC being a service, customers can now focus their attention on the consumption of resources in VMC and leave the maintenance of the infrastructure for VMware to manage.
Note: For those interested, you can find the complete list of vCenter privileges for the CloudAdmin role here.
The ability to create and consume custom vCenter roles has been an extremely powerful capability of vCenter Server and although this is currently not possible in VMC, it is something that is actively being worked on. With that said, many of the requests that I have seen in regards to this topic has actually been about consuming some of the default vCenter roles. This is especially true for the "Read Only" role which is useful for auditing and monitoring purposes. As a CloudAdmin user, you can assign default vCenter roles that either have equal or lesser privileges than the CloudAdmin role which also includes the default "Read Only" vCenter role.