docs: Change wording for AssumeRole permissions in AWS secrets (#19823)

Co-authored-by: wernerwws <wernerwws@users.noreply.github.com>
This commit is contained in:
Robert 2023-03-29 13:03:26 -05:00 committed by GitHub
parent bc57865998
commit 71071fd954
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -355,37 +355,36 @@ authentication or single sign-on (SSO) scenarios. In order to use an
instance in an IAM instance profile) can retrieve `assumed_role` credentials instance in an IAM instance profile) can retrieve `assumed_role` credentials
(but cannot retrieve `federation_token` credentials). (but cannot retrieve `federation_token` credentials).
The `aws/config/root` credentials must have an IAM policy that allows `sts:AssumeRole` The `aws/config/root` credentials must be allowed `sts:AssumeRole` through one of
against the target role: two methods:
```javascript 1. The credentials have an IAM policy attached to them against the target role:
{ ```javascript
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/RoleNameToAssume"
}
}
```
You must attach a trust policy to the target IAM role to assume, allowing
the aws/root/config credentials to assume the role.
```javascript
{
"Version": "2012-10-17",
"Statement": [
{ {
"Effect": "Allow", "Version": "2012-10-17",
"Principal": { "Statement": {
"AWS": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/VAULT-AWS-ROOT-CONFIG-USER-NAME" "Effect": "Allow",
}, "Action": "sts:AssumeRole",
"Action": "sts:AssumeRole" "Resource": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/RoleNameToAssume"
}
} }
] ```
}
``` 1. A trust policy is attached to the target IAM role for the principal:
```javascript
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/VAULT-AWS-ROOT-CONFIG-USER-NAME"
},
"Action": "sts:AssumeRole"
}
]
}
```
When specifying a Vault role with a `credential_type` of `assumed_role`, you can When specifying a Vault role with a `credential_type` of `assumed_role`, you can
specify more than one IAM role ARN. If you do so, Vault clients can select which specify more than one IAM role ARN. If you do so, Vault clients can select which