What is Assume Role in AWS: Simple Explanation and Example
assume role means temporarily taking on permissions from another AWS identity to access resources securely. It allows one user or service to act with the permissions of a different role without sharing long-term credentials.How It Works
Imagine you have a key to your house, but you want to let a friend enter only for a short time without giving them your main key. Assume role in AWS works like lending a temporary key that grants specific access for a limited time.
When you assume a role, AWS gives you temporary security credentials that let you act as that role. This means you can access resources or perform actions allowed by that role's permissions, even if your original identity doesn't have those permissions.
This helps keep your main credentials safe and lets you control exactly what the temporary access can do and for how long.
Example
This example shows how to use AWS CLI to assume a role and get temporary credentials.
aws sts assume-role --role-arn arn:aws:iam::123456789012:role/ExampleRole --role-session-name ExampleSessionWhen to Use
Use assume role when you want to:
- Allow one AWS account or service to access resources in another account securely.
- Grant temporary permissions to users or applications without sharing permanent credentials.
- Follow security best practices by limiting access duration and scope.
- Enable cross-account access, such as a developer accessing production resources safely.
For example, a CI/CD pipeline can assume a role to deploy code without storing sensitive keys permanently.
Key Points
- Assume role provides temporary, limited permissions.
- It uses temporary security credentials with expiration.
- Helps improve security by avoiding long-term credential sharing.
- Supports cross-account and cross-service access.