This is a style question as I've already gotten my results but I was curious to see others methodology. So following the information in this AWS post I did the following

1. Search for userIdentity.type=AssumedRole
2. Inner Join on userIdentity.accessKeyId with results with
3. search for eventName=AssumeRole, deduped responseElements.credentials.accessKeyId, renamed to userIdentity.accessKeyId

My final search looks like this
index="aws_cloudtrail" userIdentity.type=AssumedRole
| join type=inner userIdentity.accessKeyId
[| search index="aws_cloudtrail" eventName=AssumeRole | dedup responseElements.credentials.accessKeyId | spath "userIdentity.principalId" | rex field=userIdentity.principalId "\:(?<principalId>.*)" | rename requestParameters.roleArn as requestedRole, responseElements.credentials.accessKeyId as userIdentity.accessKeyId | fields requestedRole, principalId, userIdentity.accessKeyId]
| table _time, principalId, requestedRole, eventName, requestParameters.bucketName, errorCode