Skip to content

Commit

Permalink
docs: Change wording for AssumeRole permissions in AWS secrets (#19823)
Browse files Browse the repository at this point in the history
Co-authored-by: wernerwws <wernerwws@users.noreply.github.com>
  • Loading branch information
robmonte and wernerwws authored Mar 29, 2023
1 parent 4063d6e commit 2834ac2
Showing 1 changed file with 26 additions and 27 deletions.
53 changes: 26 additions & 27 deletions website/content/docs/secrets/aws.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -355,37 +355,36 @@ authentication or single sign-on (SSO) scenarios. In order to use an
instance in an IAM instance profile) can retrieve `assumed_role` credentials
(but cannot retrieve `federation_token` credentials).

The `aws/config/root` credentials must have an IAM policy that allows `sts:AssumeRole`
against the target role:
The `aws/config/root` credentials must be allowed `sts:AssumeRole` through one of
two methods:

```javascript
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/RoleNameToAssume"
}
}
```

You must attach a trust policy to the target IAM role to assume, allowing
the aws/root/config credentials to assume the role.
1. The credentials have an IAM policy attached to them against the target role:
```javascript
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/RoleNameToAssume"
}
}
```

```javascript
{
"Version": "2012-10-17",
"Statement": [
1. A trust policy is attached to the target IAM role for the principal:
```javascript
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/VAULT-AWS-ROOT-CONFIG-USER-NAME"
},
"Action": "sts:AssumeRole"
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/VAULT-AWS-ROOT-CONFIG-USER-NAME"
},
"Action": "sts:AssumeRole"
}
]
}
]
}
```
```

When specifying a Vault role with a `credential_type` of `assumed_role`, you can
specify more than one IAM role ARN. If you do so, Vault clients can select which
Expand Down

0 comments on commit 2834ac2

Please sign in to comment.