DevOps Glossary

AWS STS AssumeRole is an AWS Security Token Service API call that returns temporary security credentials for an IAM role. In practical terms, it lets a user, application, CI job, ECS task, Kubernetes workload, or another AWS account act with the permissions of a trusted role for a limited time, instead of using long-lived access keys. The target role defines what actions are allowed, its trust policy defines who can assume it, and optional settings such as session duration, external ID, MFA, session tags, and session policies can add controls. Teams commonly use AssumeRole for cross-account access, deployment automation, incident response access, and temporary admin workflows, often alongside infrastructure tools such as AWS CloudFormation. For example, a deployment pipeline in one AWS account can assume a role in a production account, receive short-lived credentials, deploy approved resources, and lose access when the session expires.