STS Assumed Role ARN — Temporary Credential Identity

STS Assumed-Role ARN Structure

When an IAM role is assumed via sts:AssumeRole, the resulting temporary credentials are associated with an assumed-role ARN that includes the role name and a session name.

Example ARN

arn:aws:sts::123456789012:assumed-role/MyAppRole/session-name-1234

Parsed Components

Component	Value
Partition	aws
Service	sts
Region	(empty)
Account ID	123456789012
Resource Type	assumed-role
Resource ID	MyAppRole/session-name-1234

Role ARN vs. Assumed-Role ARN

These are two different identifiers for related concepts:

• Role ARN: arn:aws:iam::123456789012:role/MyAppRole — identifies the role definition (service: iam)
• Assumed-Role ARN: arn:aws:sts::123456789012:assumed-role/MyAppRole/session-name — identifies a specific session using the role (service: sts)

Session Names

The session name (session-name-1234) is specified when calling AssumeRole and appears in CloudTrail logs. Best practice is to use meaningful session names (like the username or service instance) so that CloudTrail events can be traced back to the specific caller.

CloudTrail Logging

When you see an action in CloudTrail, the userIdentity.arn field shows the assumed-role ARN, not the original role ARN. This is how you determine who assumed the role and performed the action.

IAM Policy Conditions

You can write IAM policies that match on the assumed-role ARN pattern, allowing different sessions of the same role to have different permissions using condition keys like aws:PrincipalArn.

Federated User ARNs

Similarly, federated users (via SAML or web identity) get ARNs like arn:aws:sts::123456789012:federated-user/username, with federated-user as the resource type.