Assuming a Role in the AWS Console

AWS console IAM role assume

2 min read | by Jordi Prats

If you are working with Amazon Web Services (AWS), you may have heard the term "assuming a role" in the context of one role using another role. This phrase refers to the process of temporarily taking on a specific set of permissions or privileges within an AWS account, in order to perform certain actions or access specific resources.

Since when we are using the AWS console we are using a specific role to have access, we can assume another role as well.

In the top-right corner of the console, click on your username, and then select "Switch Role" from the dropdown menu. Alternatively, you can navigate to the same page using https://signin.aws.amazon.com/switchrole.

We are going to get the following page where we can specify:

  • Account: The account number where the role we want to assume sits (it can be the current account number or any account that have the trust relationship setup)
  • Role: Role name that we want to assume.
  • Display Name: Name we want to use to identify the role we are using.

It's going to look like this:

form assume role

We can use some parameters to craft a link that will have the settings predefined:


https://signin.aws.amazon.com/switchrole?account=account_num&roleName=role_name&displayName=label


Note that in order to assume any role, you must have the necessary permissions to do so. Specifically, you must have the "sts:AssumeRole" permission in your IAM policy. To be able to assume it between two different accounts, we'll need both: The source IAM role being able to AssumeRole and a trust relationship in the target role belonging to a different account.

Once assumed, we'll be able to see a new label on the top bar to help us identify what role we are using:

assumed role settings

Posted on 21/02/2023

Categories