• Used to grant limited and temporary access (15 min - 1 hour) to AWS resources

APIs

• AssumeRole - assume an IAM Role within your account or cross account and return temporary credentials for that role
• AssumeRoleWithSAML - return credentials for users logged in with SAML
• AssumeRoleWithWebldentity - return credentials for users logged in via a web identity provider like Facebook, Google, OIDC compatible IDP, etc.
• GetSessionToken - get session token for MFA
• GetFederationToken - obtain temporary credentials for a federated user
• GetCallerldentity - return details about the lAM user or role
• DecodeAuthorizationMessage - decode error message when an AWS API is denied

AssumeRole

• Steps to assume a Role
  • Define an IAM Role (within your account or cross-account)
  • Trust Policy: Define which principals can assume this IAM Role
  • Call AssumeRole API to impersonate the IAM Role and retrieve credentials

GetSessionToken

• Used to get session token for MFA
• Returns
  • Access ID
  • Secret Key
  • Session Token
  • Expiration Date
• IAM policy can be created to allow some actions only if the user is multi-factor authenticated (aws:MultiFactorAuthPresent: true)