AWS IAM glossary

What is sts:AssumeRole?

sts:AssumeRole is the STS action that returns temporary security credentials for an IAM role, letting a principal operate with that role’s permissions.

AssumeRole is the mechanism behind cross-account access, federation, and service-to-service permissions. The caller must be allowed sts:AssumeRole on their identity policy, and the target role’s trust policy must allow the caller as a principal. Both sides have to agree.

The credentials returned are temporary and scoped to a session, which is why roles are preferred over long-lived access keys. An optional session policy can further restrict the session below the role’s permissions for the duration of that session only.

Example

aws sts assume-role \
  --role-arn arn:aws:iam::123456789012:role/example \
  --role-session-name my-session \
  --external-id unique-id

Common mistake

Granting sts:AssumeRole on Resource "*" lets a principal assume any role whose trust policy is loose. Scope it to the specific role ARNs the workload actually needs.

Related terms

Analyze a real policy free

Shieldly's AI-Powered analyzer explains why an IAM policy is risky and returns the fix in seconds. No signup, no AWS credentials. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.

Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.