An assumed role allows your application to request credentials to a role that has a predefined with a policy and trust relationship to the application. If access is granted, then a session token is issued that is valid for a short time (usually one hour but can be configured from 15 minutes to more than a day). In almost all cases, this requires you to write code to request the credentials, store them in your application or in memory, and then use them. You will also need to create a role, trust policy, and policy document in your account or another account. No credentials are added to the environment, credentials are not checked into VCS, and lastly credentials eventually expire so they cannot be compromised later. The role policy is not used for humans and can be tailored to the exact minimum access needed by the application, especially in cross-account or third-party access. A trust relationship can be granted to a very specific level of detail, making remote and third-party requests easy. However, code changes, and coordination with cross-account or third-party accounts can be a herculean task. Despite the effort required, the AWS assumed roles are the preferred and most secure way to gain access to resources.