what do you get to work with after you assume a role using boto3

Question

I assumed a role using this piece of code

import boto3
session = boto3.Session(profile_name="learnaws-test")
sts = session.client("sts")
response = sts.assume_role(
    RoleArn="arn:aws:iam::xxx:role/s3-readonly-access",
    RoleSessionName="learnaws-test-session"
)
new_session = Session(aws_access_key_id=response['Credentials']['AccessKeyId'],
                  aws_secret_access_key=response['Credentials']['SecretAccessKey'],
                  aws_session_token=response['Credentials']['SessionToken'])

and now I'm ending up with new_session, at this point is the role assumed? and how can I check that it is assumed? Also, now I want to assume another role from a different account. how do I utilized the new_session to do that, is that even possible? basically, my work is intended like this -> sso login -> assume a role in account A -> assume a role in account B. I can't directly assume the role in account B. If anyone can provide a layout on how to achieve it, that would be great.

Hopefully my question is clear.

Answer 1

Check this AWS Python example in the AWS Code Library that describes these tasks using the AWS SDK:

The following code examples show how to:

• Create a user who has no permissions.

• Create a role that grants permission to list Amazon S3 buckets for the account.

• Add a policy to let the user assume the role.

• Assume the role and list Amazon S3 buckets using temporary credentials.

• Delete the policy, role, and user.

This code example should give you a better understanding.

https://docs.aws.amazon.com/code-library/latest/ug/iam_example_iam_Scenario_CreateUserAssumeRole_section.html