docs: Change wording for AssumeRole permissions in AWS secrets (#19823)

Co-authored-by: wernerwws <wernerwws@users.noreply.github.com>
2023-03-29 13:03:26 -05:00 · 2023-03-29 13:03:26 -05:00 · 71071fd954
parent bc57865998
commit 71071fd954
1 changed files with 27 additions and 28 deletions
--- a/website/content/docs/secrets/aws.mdx
+++ b/website/content/docs/secrets/aws.mdx
@ -355,37 +355,36 @@ authentication or single sign-on (SSO) scenarios. In order to use an
   instance in an IAM instance profile) can retrieve `assumed_role` credentials
   (but cannot retrieve `federation_token` credentials).

-The `aws/config/root` credentials must have an IAM policy that allows `sts:AssumeRole`
-against the target role:
+The `aws/config/root` credentials must be allowed `sts:AssumeRole` through one of
+two methods:

-```javascript
-{
-  "Version": "2012-10-17",
-  "Statement": {
-    "Effect": "Allow",
-    "Action": "sts:AssumeRole",
-    "Resource": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/RoleNameToAssume"
-  }
-}
-```
-
-You must attach a trust policy to the target IAM role to assume, allowing
-the aws/root/config credentials to assume the role.
-
-```javascript
-{
-  "Version": "2012-10-17",
-  "Statement": [
+1.  The credentials have an IAM policy attached to them against the target role:
+    ```javascript
    {
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/VAULT-AWS-ROOT-CONFIG-USER-NAME"
-      },
-      "Action": "sts:AssumeRole"
+      "Version": "2012-10-17",
+      "Statement": {
+        "Effect": "Allow",
+        "Action": "sts:AssumeRole",
+        "Resource": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/RoleNameToAssume"
+      }
    }
-  ]
-}
-```
+    ```
+
+1.  A trust policy is attached to the target IAM role for the principal:
+    ```javascript
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Principal": {
+            "AWS": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/VAULT-AWS-ROOT-CONFIG-USER-NAME"
+          },
+          "Action": "sts:AssumeRole"
+        }
+      ]
+    }
+    ```

 When specifying a Vault role with a `credential_type` of `assumed_role`, you can
 specify more than one IAM role ARN. If you do so, Vault clients can select which