Assume multiple AWS IAM roles are a single time

Question

On occasion, I need to access multiple AWS resources that I have individual access for with separate IAM roles. If I need these resources to be used together, I currently have to figure out a non-native connector piece.

If I could access the resources together at the same time, I can sometimes use an AWS connector to interface with both resources at once (for example).

Is there a way to assume multiple IAM roles at the same time?

Answer 1

Technically, yes, there is a way to assume multiple IAM roles at the same time.

But it doesn't mean what you intend.

Assuming an IAM role doesn't modify who you are and doesn't modify what permissions you have -- contrary to the intuitive interpretation of what it might mean to assume a different identity. Instead, when you assume a role, you are given a new set of temporary credentials to use, instead of "your" credentials -- the credentials you used to assume the role.

Requests made with these temporary credentials are authorized against the permissions granted to the role.

Thus, while you can assume multiple roles at the same time, each of those actions has a separate set of associated credentials, so it won't allow you to make requests that require you to have the permissions of more than one role for any given request.

Every request is performed by a single principal, so if you are trying to perform a single action that requires the union of the permissions of multiple roles, that's a not possible.