In order to let someone access your AWS account, either developer from outside company, or developer from different team. The most straighforward method is creating an IAM user, then add them to a group with IAM policy or attach policy directly to user or inline policy.
This quickly create a mess because you
The most imporant issue is security: That IAM user can create key under
their account, that key can be set to be use with
AWS CLI without MFA
enforcement. So despite when logging on aws console, user has to type
MFA, they don’t have to do that when using
aws cli with access/secret
key under that user.
Another issue is having multiple IAM account. Imagine if you have to switch between QA/Prod/Staging with multiple IAM.
Assume role solve this problem. Instead of binding permission to user/group, you create an IAM role. You granted permission so that an IAM user can assume and switch to that role. Once they switch, they inherited all permission the role has. We cannot create an key for a role.
On CLI, you use your access/secret key