Use case

https://ben11kehoe.medium.com/boto3-sessions-and-why-you-should-use-them-9b094eb5ca8e
I think a good use case for this is:

I have a "test suite stack" that creates multiple roles (named randomly by CFN) for me to test my application, deployed automatically by test suite setup and torn down at the end
In my test suite code, I need to assume multiple of these roles in the same test (say I'm writing as a user and reading as an admin)
I can't (and shouldn't) modify ~/.aws/config during the test, especially because there might be multiple test suites running in parallel
With support for sessions (and aws-assume-role-lib), this is trivial. As it currently exists, it's really hard.

Solution/User Experience

ability to assume a role and then reuse the returned credentials in iatk.

Alternative solutions

No response

I don't think we should accept boto objects. The way AWS IATK works is by passing information into an embedded Go Binary. Accepting a boto object for credentials, would mean we either 1) need to mutate the system env vars or 2) pass this information over stdin into the Go Binary. Either of these seem ideal and should be looked at more deeply.

@hawflau Had the suggestion of accepting a Role Arn and do the sts for the customer instead. Which I think still meets the ask here.

A individual test needs to be able to use multiple different sets of credentials simultaneously, from any source of its choosing. I would argue that the embedded Go binary should not be able to pick up any ambient credentials at all, because those credentials may not be intended to be used by the test suite (e.g., a default profile). I think it's the outer wrapper's job to resolve credentials and then pass them in (or error out if it cannot resolve them). So then you need to be able to provide credentials (and region) in a packaged form, which is exactly what a boto3 session is. There are many weirder ways people programmatically obtain credentials than just calling AssumeRole.