Certified Security - Specialty

Sign Up Free or Log In to participate!

When should I use STS:AssumeRole?

Why for cross-account access to S3 bucket I need to assume a role, but for cross-account access to a key in KMS I don’t?

Can someone simplify when I DO or DON’T need to use STS:AssumeRole in a cross account scenario?


2 Answers

Good question.

Here is my take, it depends on how you setup the trust relationship.

Typically you set it up as below requiring assume role.

{ "Version": "2012-10-17",

"Statement": [ { "Effect": "Allow",

"Principal": { "AWS": "arn:aws:iam::123456789012:root" },

"Action": "sts:AssumeRole" } ] }

Above gives the root user of ext acct to assume role. But the root can further grant/delegate access to specific users to AssumeRole

{ "Version": "2012-10-17",

"Statement": [ { "Effect": "Allow",

"Action": "sts:AssumeRole",

"Resource": "arn:aws:iam::123456789012:role/marketingadminrole" } ] }

So users will get access only by AssumeRole.

In case of KMS the trust relationship is being setup only with the external acct without any requirement of AssumeRole –

"Principal": {

"AWS": [ "arn:aws:iam::109876543210:user/User1","arn:aws:iam::012345678901:root" ] },

"Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ],

"Resource": "*",

"Condition": {"Bool": {"kms:GrantIsForAWSResource": true}}


So the external acct when it grants permission to its users – has no requirement to AssumeRole.

Why is it done this way or could we do it the other way – not exactly sure.  Perhaps there is something unique about KMS- no service uses assume role to use KMS – all services just are granted permissions. Typically in similar scenarios like EC2 etc – it is assume role.


Thanks Sam for your answer. Although it gave me some insight, it didn’t fully get me to understanding.

But I did some digging and I believe I figured it out. the answer is – it depends on how you grant the cross account access to your resource.

If you are granting access from the Resource Policy (S3, SNS, SQS Etc.), then you DON’T specify (or using) STS:AssumeRole.

If you are granting access from an IAM Role Policy, then you DO have to specify STS:AssumeRole so this role can be assumed by the external account.

I’m not going into details of how to set up cross account, as I was just trying to understand when do I use AssumeRole action.

BTW, here is a good reference (if someone wants to read):


Thank you.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?