In AWS (Amazon Web Services), Assume Role is a feature that allows you to delegate access to AWS resources securely. It allows an IAM (Identity and Access Management) entity to temporarily get access and take on a new role inside your AWS account or even across AWS accounts, such as an IAM user or an AWS service. The role that is adopted is referred to as the "assumed role."
In AWS, IAM roles provide a set of permissions that govern the activities an IAM entity is permitted to do in relation to AWS resources. IAM users, AWS services, and other reliable entities may all be considered IAM entities.
Each IAM position has a trust policy attached to it that outlines the entities that are permitted to take on that role. The trusted parties that can take on the role and the circumstances in which they may do so are specified in the trust policy.
Roles have policies associated with them that are referred to as role policies. The precise permissions allowed for the position are specified in these rules. When an entity takes on a role, the permissions specified in the role's policies are passed along to the entity.
Assume Role Process
The AWS Security Token Service (STS) requires an Assume Role API request from an entity for it to take a role. The entity gives the ARN (Amazon Resource Name) the role it wishes to take and supplies its own credentials (for example, IAM user credentials).
Authentication and Authorization
Using the entity's credentials, the STS confirms the requester's identity. STS offers temporary security credentials, such as an access key, a secret access key, and a session token, if the trust policy connected to the role permits the entity to take the position.
Credentials for Temporary Security
STS provides the organisation with the credentials for temporary security. These credentials have restricted rights depending on the restrictions associated with the assumed position, and they are valid for a certain amount of time. With these credentials, the entity may get access to AWS services as if it were the role itself.
When you need to provide access to services in another AWS account, Assume Role is very helpful. You may let entities in the trusted account take on the role and access services in the trusted account by setting cross-account accessibility and trusting a role from one account to another.
Assume Role increases security by obviating the requirement for long-term access keys to be shared. You may reduce possible exposure and often change who has access to critical resources by using temporary credentials and time-bound access.
During the Assume Role procedure, you may also attach session tags in addition to temporary security credentials. Key-value pairs called session tags gives the assumed role session more context or information. These tags may be used to audit, monitor, and manage resource access.
Session Expiration and Renewal
Temporary security credentials received using Assume Role have an expiry date. They may also be renewed. When the credentials expire, the entity must get new ones by taking on the role again or by utilizing another form of authentication.
Assume Role is an essential component for securely controlling access to AWS resources, assigning permissions, and building confidence between various parties inside and between AWS accounts.