How do I assume an IAM role using the AWS CLI

Introduction

Cross-account access is a common need in AWS environments—especially when managing resources across multiple accounts. This guide walks you through securely assuming an IAM role in a destination AWS account using the IAM AWS CLI from a source account via temporary credentials.

Prerequisites

1. You have an IAM user in the source account with permissions to assume a role in the destination account.
2. The destination account has a trust policy allowing the source IAM user or role to assume the role (e.g: S3MigrationRole).
3. The AWS CLI is installed.

Step 1: Install the AWS CLI

If you haven’t already, install the AWS CLI

Verify installation:

aws --version

Step 2: Configure the AWS CLI with IAM User Credentials

Use the IAM user credentials from the source account:

aws configure

You’ll be prompted for four inputs:

AWS Access Key ID [None]: AKIA**********MPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCY*********KEY
Default region name [None]: us-west-2
Default output format [None]: json

• You can choose your region (e.g., us-east-1, us-west-2, etc.)
• JSON is recommended for scripting and parsing.

Step 3: Assume the IAM Role in the Destination Account

Use the following command to assume a role (e.g., S3MigrationRole) in another AWS account:

aws sts assume-role \
  --role-arn "arn:aws:iam::<destination-account-id>:role/S3MigrationRole" \
  --role-session-name "AWSCLI-Session"

Replace <destination-account-id> with the actual AWS account ID.

Step 4: Export Temporary Credentials to Environment Variables

From the JSON output obtained from the previous command, copy the values under the Credentials block and set them as environment variables:

export AWS_ACCESS_KEY_ID="ASIA***********EXAMPLE"
export AWS_SECRET_ACCESS_KEY="wJalrXUtnFEMI/K7MDENG/bPxRfiCY*********KEY"
export AWS_SESSION_TOKEN="IQoJb3JpZ2luX2VjE***********TOKEN"

These credentials allow you to operate as the assumed role for a limited time.

Step 5: Verify Your Identity

To ensure you’re operating under the correct role, run:

aws sts get-caller-identity

Expected output:

{
    "UserId": "AROAEXAMPLE:AWSCLI-Session",
    "Account": "<destination-account-id>",
    "Arn": "arn:aws:sts::<destination-account-id>:assumed-role/S3MigrationRole/AWSCLI-Session"
}

If you see the assumed role ARN, everything is working as expected.

These temporary credentials are short-lived. Once expired, you’ll need to re-run the assume-role command and re-export the new credentials.

Conclusion

Using the AWS CLI and sts:assume-role is a powerful and secure way to manage cross-account access in AWS. By leveraging temporary credentials, you reduce the risk of long-lived secrets and operate with scoped, time-bound access.

Whether you’re migrating S3 buckets, automating backups, or deploying infrastructure across environments, assuming roles via the CLI is a foundational skill for any AWS practitioner.
Mastering IAM AWS CLI can streamline role management and enhance cloud security. If you need expert guidance, Skynats offers reliable AWS Management Services to help you configure, troubleshoot, and optimize your AWS environment. Contact us today for tailored support.