====== AssumeRole ======

**What it is:** An STS operation where a principal “switches into” a role and receives temporary credentials.

**What it’s for:**
  * Cross-account access (Account A assumes role in Account B).
  * Service-to-service secure permission granting.
  * Human “role switching” for admin tasks without permanent admin users.

**Requirements:**
  * The caller must be allowed to call AssumeRole (by its identity policy).
  * The role’s [[aws:security:iam:trust-policy|Trust Policy]] must trust the caller.

**Exam cues:**
  * “role cannot be assumed” → check BOTH: caller policy + trust policy.

**Hard words:**
  * *operation* /ˌɑːpəˈreɪʃn/: thao tác (API action)
  * *trust* /trʌst/: tin cậy
  * *caller* /ˈkɔːlər/: bên gọi (ai gọi API)