Assume

Features

Everything between you and a live session.

Assume models the way cloud access actually works — identities, roles, and the short-lived credentials that connect them.

01

Six session types, one gesture.

Whatever shape your access takes, starting it looks the same: click, and the credentials exist. Stop, and they're gone.

  • IAM User

    Store an access key pair once — encrypted — and Assume trades it for session tokens via STS. The original keys are never handed to your tools.

    sts get-session-token

  • IAM Role Federated

    Authenticate against your identity provider through SAML and assume a role directly from the federation response.

    sts assume-role-with-saml

  • IAM Role Chained

    Hop from one role into another. Build the chain once and start the leaf role with a single click — every hop is handled for you.

    sts assume-role

  • AWS SSO

    Connect an IAM Identity Center portal with the OIDC device flow. Every account and permission set you can reach becomes a session.

    sso get-role-credentials

  • Azure

    Sign in with your Entra ID tenant and switch between subscriptions. Assume drives the az CLI so your tools see a normal Azure login.

    az login --tenant

  • LocalStack

    Develop against a local cloud with zero ceremony — sessions point your AWS tooling at localhost with test credentials.

    endpoint http://localhost:4566

02

Connect a directory, inherit every role.

AWS IAM Identity Center

Authenticate once with the OIDC device flow — no secrets to paste. Assume syncs your portal and materializes every account and permission set as a ready-to-start session. Re-sync any time; revoked access disappears with it.

Microsoft Entra ID

Point Assume at your tenant and it discovers the subscriptions you can reach, keeping the az CLI signed in and scoped to the session you choose.

03

Credentials with a heartbeat.

Written where your tools look

Sessions land in named profiles, so the AWS CLI, SDKs, Terraform, and your IDE pick them up without any configuration. Map each session to the profile your project expects.

Rotated before they expire

Active sessions refresh themselves in the background. A long deploy never dies halfway because a token aged out.

Regions and profiles, per session

Switch a session's region or named profile on the fly — useful when the same role serves several projects.

04

Prod and staging, side by side.

The cloud console only lets you be one identity per browser. The Assume extension for Chrome removes that limit — open a console tab per session, each isolated from the others, launched straight from the app.

  • multi-console

    Several AWS consoles open at once, one per session.

  • no sign-out roulette

    Switching identities never logs you out of another tab.

  • one click in

    Open the web console for any running session from the app or CLI.

05

The whole app, headless.

The assume CLI talks to the running desktop app, so scripts and CI share the same sessions, integrations, and vault — no second source of truth.

Read the CLI guide
Terminal
assume session list
assume session start prod-admin
assume session current
assume session open-web-console
assume integration sync

See it on your own accounts.

Download for macOS