From 71071fd95440ffbe021e0c43cad16bc8afa02de0 Mon Sep 17 00:00:00 2001 From: Robert <17119716+robmonte@users.noreply.github.com> Date: Wed, 29 Mar 2023 13:03:26 -0500 Subject: [PATCH] docs: Change wording for AssumeRole permissions in AWS secrets (#19823) Co-authored-by: wernerwws --- website/content/docs/secrets/aws.mdx | 55 ++++++++++++++-------------- 1 file changed, 27 insertions(+), 28 deletions(-) diff --git a/website/content/docs/secrets/aws.mdx b/website/content/docs/secrets/aws.mdx index 299b4aa91..15fb19b0f 100644 --- a/website/content/docs/secrets/aws.mdx +++ b/website/content/docs/secrets/aws.mdx @@ -355,37 +355,36 @@ authentication or single sign-on (SSO) scenarios. In order to use an instance in an IAM instance profile) can retrieve `assumed_role` credentials (but cannot retrieve `federation_token` credentials). -The `aws/config/root` credentials must have an IAM policy that allows `sts:AssumeRole` -against the target role: +The `aws/config/root` credentials must be allowed `sts:AssumeRole` through one of +two methods: -```javascript -{ - "Version": "2012-10-17", - "Statement": { - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Resource": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/RoleNameToAssume" - } -} -``` - -You must attach a trust policy to the target IAM role to assume, allowing -the aws/root/config credentials to assume the role. - -```javascript -{ - "Version": "2012-10-17", - "Statement": [ +1. The credentials have an IAM policy attached to them against the target role: + ```javascript { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/VAULT-AWS-ROOT-CONFIG-USER-NAME" - }, - "Action": "sts:AssumeRole" + "Version": "2012-10-17", + "Statement": { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Resource": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/RoleNameToAssume" + } } - ] -} -``` + ``` + +1. A trust policy is attached to the target IAM role for the principal: + ```javascript + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/VAULT-AWS-ROOT-CONFIG-USER-NAME" + }, + "Action": "sts:AssumeRole" + } + ] + } + ``` When specifying a Vault role with a `credential_type` of `assumed_role`, you can specify more than one IAM role ARN. If you do so, Vault clients can select which