What it is: An STS operation where a principal “switches into” a role and receives temporary credentials.

What it’s for:

• Cross-account access (Account A assumes role in Account B).
• Service-to-service secure permission granting.
• Human “role switching” for admin tasks without permanent admin users.

Requirements:

• The caller must be allowed to call AssumeRole (by its identity policy).
• The role’s Trust Policy must trust the caller.

Exam cues:

• “role cannot be assumed” → check BOTH: caller policy + trust policy.

Hard words:

• *operation* /ˌɑːpəˈreɪʃn/: thao tác (API action)
• *trust* /trʌst/: tin cậy
• *caller* /ˈkɔːlər/: bên gọi (ai gọi API)