IAM roles concept in AWS - Time & Space Complexity

When using IAM roles, it is important to understand how the time to assume a role changes as you add more roles or policies.

We want to know how the number of roles or policies affects the time it takes to get permissions.

Analyze the time complexity of assuming multiple IAM roles in sequence.

# Assume a role
aws sts assume-role --role-arn arn:aws:iam::123456789012:role/ExampleRole --role-session-name Session1

# Use the temporary credentials to assume another role
aws sts assume-role --role-arn arn:aws:iam::123456789012:role/AnotherRole --role-session-name Session2

# Repeat for n roles

This sequence shows assuming one IAM role after another, using temporary credentials from the previous role.

Identify the API calls, resource provisioning, data transfers that repeat.

• Primary operation: The sts assume-role API call to get temporary credentials.
• How many times: Once for each role you want to assume in the chain.

Each additional role you assume adds one more API call to the sequence.

Input Size (n)	Approx. Api Calls/Operations
10	10 assume-role calls
100	100 assume-role calls
1000	1000 assume-role calls

Pattern observation: The number of API calls grows directly with the number of roles assumed.

Time Complexity: O(n)

This means the time to assume roles grows linearly with the number of roles you chain together.

[X] Wrong: "Assuming multiple roles happens all at once, so time does not increase with more roles."

[OK] Correct: Each role must be assumed one after another, so each adds time and API calls.

Understanding how IAM role chaining affects time helps you design secure and efficient permission flows in cloud environments.

"What if we used a single role with multiple policies instead of chaining roles? How would the time complexity change?"