Demonstrating AWS IAM Role Assumption Using AWS CLI (Without an Identity Provider)
I am here for giving wonderful knowledge to society
Introduction
In many AWS environments—especially labs, PoCs, or small teams—there is no external Identity Provider (IdP) such as SAML, ADFS, or AWS SSO. Even without an IdP, AWS provides a secure mechanism to switch permissions using IAM roles and AWS Security Token Service (STS).
In this blog, we demonstrate how to:
Create an IAM role with a trust policy
Allow an IAM user to assume that role
Use the AWS CLI to assume the role
Receive temporary credentials
Validate successful role assumption
This approach avoids long-term credential sharing and follows AWS security best practices.
Architecture Overview
IAM User: Acts as the source identity
IAM Role: Contains permissions (ReadOnlyAccess in this demo)
STS AssumeRole: Issues temporary credentials
AWS CLI: Used to perform all operations
No federation or identity provider is involved.
Step 1: Create a Trust Policy
The trust policy defines who can assume the role.
trust-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::533267375318:user/s3-role"
},
"Action": "sts:AssumeRole"
}
]
}
🔹 This policy allows the IAM user s3-role to assume the role.
Step 2: Create the IAM Role
Using the AWS CLI, create the role with the trust policy:
aws iam create-role \
--role-name DemoAssumeRole \
--assume-role-policy-document file://trust-policy.json
Output confirms:
Role creation
Trust relationship
Role ARN
Step 3: Attach Permissions to the Role
Attach an AWS-managed policy to define what the role can do.
aws iam attach-role-policy \
--role-name DemoAssumeRole \
--policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess
🔹 The role now has read-only access across AWS services.
Step 4: Verify the Role Trust Policy
Confirm the trust policy is correctly applied:
aws iam get-role \
--role-name DemoAssumeRole \
--query 'Role.AssumeRolePolicyDocument'
This ensures the correct IAM user is trusted.
Step 5: Assume the Role Using AWS STS
Now assume the role from the trusted IAM user context:
aws sts assume-role \
--role-arn arn:aws:iam::533267365317:role/DemoAssumeRole \
--role-session-name cli-session
Step 6: Temporary Credentials Issued
AWS STS returns temporary security credentials:
AccessKeyId
SecretAccessKey
SessionToken
Expiration timestamp
Example ARN returned:
arn:aws:sts::533267365317:assumed-role/DemoAssumeRole/cli-session
✅ This confirms successful role assumption.
Step 7: What These Credentials Are Used For
The temporary credentials can be:
Exported as environment variables
Stored in an AWS CLI profile
Used by scripts or automation tools
They inherit only the permissions attached to the role, not the original IAM user.
Why This Approach Matters
This method allows you to:
Avoid sharing long-term credentials
Switch permissions securely
Enforce least-privilege access
Perform cross-role access within the same AWS account
Operate without SAML, OIDC, or SSO
Real-World Use Cases
Lab and sandbox environments
Dev/Test AWS accounts
Temporary elevated access
Automation scripts
CI/CD pipelines
Conclusion
This demonstration shows how AWS IAM role assumption works without an identity provider using only IAM, STS, and the AWS CLI. By defining a trust relationship and using sts:AssumeRole, an IAM user can securely obtain temporary credentials and operate with a different permission set.
This is a foundational AWS security pattern and a recommended alternative to long-term access keys.
