AWS STS AssumeRole: Are IAM user credentials needed, or not?

Question

Conflicting documentation

The documentation here, pertaining to AssumeRole, seems to contradict itself in one continuous block:

You must call this API using existing IAM user credentials. For more information, see Creating a Role to Delegate Permissions to an IAM User and Configuring MFA-Protected API Access.

This is an unsigned call, meaning that the app does not need to have access to any AWS security credentials in order to make the call.

The contradictions are given bold emphasis.

Code sample

The code sample provided here certainly seems to require credentials:

AmazonSecurityTokenServiceClient securityTokenServiceClient = new AmazonSecurityTokenServiceClient(
    Config.AccessKey,
    secretKeyAsString,
    securityTokenServiceConfig);

…

AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest
{
    DurationSeconds = sessionDurationSec,
    RoleArn = roleArn,
    RoleSessionName = awsUsername,
    ExternalId = groupSid
};

…

assumeRoleResponse = securityTokenServiceClient.AssumeRole(assumeRoleRequest);

In conclusion

Which is true? Are the requests in the code sample truly redundant?

Thank you!

Answer 1

This is indeed an error in the docs, which is in the process of being corrected. AssumeRole does require existing long-term (IAM User) or temp credentials credentials to call. It is the two federation equivalents, AssumeRoleWithSAML and AssumeRoleWithWebIdentity that can be called without credentials. Sorry for the confusion!

Answer 2

The AssumeRole API call does require existing AWS credentials.

In order to assume an IAM role, an existing set of credentials must be used so that AWS knows who is assuming the role. This is so that AWS can verify that the assuming party is allowed to assume the role.

In the documentation:

This is an unsigned call, meaning that the app does not need to have access to any AWS security credentials in order to make the call.

This does appear to be incorrect information.