AWS sts assume role in one command
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
AWS Security Token Service (STS) provides the assume-role function, which is a cornerstone feature enabling users to assume a different role in AWS for gaining temporary security credentials. This is particularly useful for managing cross-account access or restricting permissions within the same account. Let's explore the intricacies of using the assume-role operation in one command step and examine real-world scenarios and technical breakdowns.
Overview of AWS STS Assume Role
AWS STS facilitates the creation of temporary security credentials, allowing access to AWS resources. These credentials consist of an access key ID, a secret access key, and a session token. The assume-role action is critical when you need to switch roles within an account or across different AWS accounts, performing operations that your original IAM identity is not permitted to do with its standard permissions.
Benefits of Using assume-role
- Security Enhancement: Temporary credentials minimize the risk of long-term key exposure.
- Granular Access Control: Tailor permissions for specific tasks or operations.
- Cross-account Access: Simplifies resource access distributed across multiple AWS accounts.
Command Line Utilization
To assume a role using AWS CLI in one command, it's essential to have the AWS CLI installed and configured correctly with your initial IAM user or a role that has the permission to assume the target role.
Syntax
The basic syntax for assuming a role using AWS CLI is:
Example Command
Assume a role with the ARN arn:aws:iam::123456789012:role/example-role for a session named example-session, with a session lasting 3600 seconds (1 hour):
The response includes temporary security credentials you can use for authentication:
Implementation Details
Prerequisites
- IAM Policies: Ensure your IAM user or role has the
sts:AssumeRolepermission. - Trust Relationship: The target role must trust the entity that attempts the
assume-role. This is defined in the role's trust policy.
Managing Sessions
The duration of the temporary credentials is configurable between 15 minutes to 12 hours, leveraging the --duration-seconds option. Adjust this to balance access needs and security protocols.
Cross-Account Role Assumption
In situations where you assume roles across multiple AWS accounts, you need:
- Source Account IAM Policy: Add the
sts:AssumeRolepermission. - Target Account's Role Trust Policy: List the source account's IAM user or role as a trusted entity.
Real-world Use Cases
- DevOps: Efficiently switch roles for deploying resources in production environments.
- Security Auditing: Assume roles with tailored permissions for audits without disclosing long-lived credentials.
- Dynamic Resource Management: Automate complex workflows needing access to multiple AWS accounts.
Summary Table
| Feature/Concept | Description |
| Temporary Credentials | Short-lived keys for improved security. |
| Role ARN | Unique identifier of the role you want to assume. |
| Session Name | Identifier for the session—important for logging and traceability. |
| Session Duration | Determines how long the temporary credentials are valid. |
| Cross-Account Access | Facilitates secure operations across different AWS accounts. |
Conclusion
AWS STS assume-role is a powerful feature enabling robust, secure, and flexible access management across AWS resources. Its one-command capability streamlines operations for developers and administrators while enforcing rigorous security measures through temporary credentials. By automating workloads and simplifying cross-account operations, AWS STS through its assume-role operation remains indispensable in any scalable, secure cloud architecture.

