hashicorp · robmonte · Mar 29, 2023 · Mar 29, 2023
@@ -355,37 +355,36 @@ authentication or single sign-on (SSO) scenarios. In order to use an
    instance in an IAM instance profile) can retrieve `assumed_role` credentials
    (but cannot retrieve `federation_token` credentials).
 
-The `aws/config/root` credentials must have an IAM policy that allows `sts:AssumeRole`
-against the target role:
+The `aws/config/root` credentials must be allowed `sts:AssumeRole` through one of
+two methods:
 
-```javascript
-{
-  "Version": "2012-10-17",
-  "Statement": {
-    "Effect": "Allow",
-    "Action": "sts:AssumeRole",
-    "Resource": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/RoleNameToAssume"
-  }
-}
-```
-
-You must attach a trust policy to the target IAM role to assume, allowing
-the aws/root/config credentials to assume the role.
+1.  The credentials have an IAM policy attached to them against the target role:
+    ```javascript
+    {
+      "Version": "2012-10-17",
+      "Statement": {
+        "Effect": "Allow",
+        "Action": "sts:AssumeRole",
+        "Resource": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/RoleNameToAssume"
+      }
+    }
+    ```
 
-```javascript
-{
-  "Version": "2012-10-17",
-  "Statement": [
+1.  A trust policy is attached to the target IAM role for the principal:
+    ```javascript
     {
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/VAULT-AWS-ROOT-CONFIG-USER-NAME"
-      },
-      "Action": "sts:AssumeRole"
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Principal": {
+            "AWS": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/VAULT-AWS-ROOT-CONFIG-USER-NAME"
+          },
+          "Action": "sts:AssumeRole"
+        }
+      ]
     }
-  ]
-}
-```
+    ```
 
 When specifying a Vault role with a `credential_type` of `assumed_role`, you can
 specify more than one IAM role ARN. If you do so, Vault clients can select which