From ebfff04b65a11fea78f5771d74903957238ecb3c Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core <82990506+hc-github-team-secure-vault-core@users.noreply.github.com> Date: Wed, 29 Mar 2023 14:33:21 -0400 Subject: [PATCH] backport of commit 2834ac293dfd48e738ffa8b4fea05cab753de41b (#19824) Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com> --- website/content/docs/secrets/aws.mdx | 53 ++++++++++++++-------------- 1 file changed, 26 insertions(+), 27 deletions(-) diff --git a/website/content/docs/secrets/aws.mdx b/website/content/docs/secrets/aws.mdx index 299b4aa91298..15fb19b0f19d 100644 --- a/website/content/docs/secrets/aws.mdx +++ b/website/content/docs/secrets/aws.mdx @@ -355,37 +355,36 @@ authentication or single sign-on (SSO) scenarios. In order to use an instance in an IAM instance profile) can retrieve `assumed_role` credentials (but cannot retrieve `federation_token` credentials). -The `aws/config/root` credentials must have an IAM policy that allows `sts:AssumeRole` -against the target role: +The `aws/config/root` credentials must be allowed `sts:AssumeRole` through one of +two methods: -```javascript -{ - "Version": "2012-10-17", - "Statement": { - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Resource": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/RoleNameToAssume" - } -} -``` - -You must attach a trust policy to the target IAM role to assume, allowing -the aws/root/config credentials to assume the role. +1. The credentials have an IAM policy attached to them against the target role: + ```javascript + { + "Version": "2012-10-17", + "Statement": { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Resource": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/RoleNameToAssume" + } + } + ``` -```javascript -{ - "Version": "2012-10-17", - "Statement": [ +1. A trust policy is attached to the target IAM role for the principal: + ```javascript { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/VAULT-AWS-ROOT-CONFIG-USER-NAME" - }, - "Action": "sts:AssumeRole" + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/VAULT-AWS-ROOT-CONFIG-USER-NAME" + }, + "Action": "sts:AssumeRole" + } + ] } - ] -} -``` + ``` When specifying a Vault role with a `credential_type` of `assumed_role`, you can specify more than one IAM role ARN. If you do so, Vault clients can select which