What is IAM Session Policy?
A session policy is an inline permissions policy passed at the moment a role is assumed, further limiting the permissions of that temporary session.
When a principal calls sts:AssumeRole (or related APIs), it can pass one or more session policies. The effective permissions of the resulting session are the intersection of the role permissions and the session policy: the session can never gain more than the role already allows, only less.
Session policies are the standard way for a broker or application to hand out temporary credentials that are narrower than the underlying role. They are evaluated alongside identity-based and resource-based policies during authorization.
Common mistake
Assuming a session policy can grant extra permissions. It can only narrow what the role already permits, so a missing role permission cannot be added back through a session policy.
Related terms
Analyze a real policy free
Shieldly's AI-Powered analyzer explains why an IAM policy is risky and returns the fix in seconds. No signup, no AWS credentials. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.
Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.