Name and limit an STS role session
📑 On this page
Part 118 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.
What we are learning
Session names appear in assumed-role ARNs and CloudTrail. Source identity can persist across role chains when the trust policy permits it.
Before you run it
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
ROLE_ARN="arn:aws:iam::$ACCOUNT_ID:role/aws-zero-demo-role"The role trust policy must allow sts:SetSourceIdentity when source identity is required or supplied.
The command
aws sts assume-role \
--role-arn "$ROLE_ARN" \
--role-session-name dhaya-maintenance \
--duration-seconds 1800 \
--query "{Arn:AssumedRoleUser.Arn,Expires:Credentials.Expiration}"IAM writes can take a short time to propagate. Inspect the resource after every change.
Inspect the result
aws sts assume-role \
--role-arn "$ROLE_ARN" \
--role-session-name aws-zero-audit \
--duration-seconds 900 \
--query "AssumedRoleUser.Arn" \
--output textRead the returned ARN, path, IDs, and attachment state instead of checking only the command exit code.
One tiny variation
aws sts assume-role \
--role-arn "$ROLE_ARN" \
--role-session-name dhaya-traceable \
--source-identity dhaya \
--duration-seconds 900Source identity adds durable audit context, but the trust policy must also allow sts:SetSourceIdentity. Requested duration cannot exceed the role maximum.
Common mistake
Do not use generic session names such as test for shared operational roles. Names are audit context and may be visible cross-account.
Cleanup
unset ROLE_ARNTemporary sessions expire automatically.
Next, we will learn Create an IAM user access key carefully.