docs: Change wording for AssumeRole permissions in AWS secrets (#19823)
Co-authored-by: wernerwws <wernerwws@users.noreply.github.com>
This commit is contained in:
parent
bc57865998
commit
71071fd954
|
@ -355,37 +355,36 @@ authentication or single sign-on (SSO) scenarios. In order to use an
|
||||||
instance in an IAM instance profile) can retrieve `assumed_role` credentials
|
instance in an IAM instance profile) can retrieve `assumed_role` credentials
|
||||||
(but cannot retrieve `federation_token` credentials).
|
(but cannot retrieve `federation_token` credentials).
|
||||||
|
|
||||||
The `aws/config/root` credentials must have an IAM policy that allows `sts:AssumeRole`
|
The `aws/config/root` credentials must be allowed `sts:AssumeRole` through one of
|
||||||
against the target role:
|
two methods:
|
||||||
|
|
||||||
```javascript
|
1. The credentials have an IAM policy attached to them against the target role:
|
||||||
{
|
```javascript
|
||||||
"Version": "2012-10-17",
|
|
||||||
"Statement": {
|
|
||||||
"Effect": "Allow",
|
|
||||||
"Action": "sts:AssumeRole",
|
|
||||||
"Resource": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/RoleNameToAssume"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
You must attach a trust policy to the target IAM role to assume, allowing
|
|
||||||
the aws/root/config credentials to assume the role.
|
|
||||||
|
|
||||||
```javascript
|
|
||||||
{
|
|
||||||
"Version": "2012-10-17",
|
|
||||||
"Statement": [
|
|
||||||
{
|
{
|
||||||
"Effect": "Allow",
|
"Version": "2012-10-17",
|
||||||
"Principal": {
|
"Statement": {
|
||||||
"AWS": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/VAULT-AWS-ROOT-CONFIG-USER-NAME"
|
"Effect": "Allow",
|
||||||
},
|
"Action": "sts:AssumeRole",
|
||||||
"Action": "sts:AssumeRole"
|
"Resource": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/RoleNameToAssume"
|
||||||
|
}
|
||||||
}
|
}
|
||||||
]
|
```
|
||||||
}
|
|
||||||
```
|
1. A trust policy is attached to the target IAM role for the principal:
|
||||||
|
```javascript
|
||||||
|
{
|
||||||
|
"Version": "2012-10-17",
|
||||||
|
"Statement": [
|
||||||
|
{
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Principal": {
|
||||||
|
"AWS": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/VAULT-AWS-ROOT-CONFIG-USER-NAME"
|
||||||
|
},
|
||||||
|
"Action": "sts:AssumeRole"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
When specifying a Vault role with a `credential_type` of `assumed_role`, you can
|
When specifying a Vault role with a `credential_type` of `assumed_role`, you can
|
||||||
specify more than one IAM role ARN. If you do so, Vault clients can select which
|
specify more than one IAM role ARN. If you do so, Vault clients can select which
|
||||||
|
|
Loading…
Reference in a new issue