Docs: AssumeRole examples fixes (#5678)

* fixes dynamic credentials TF example attributes * corrects AssumeRole policy from trusted identity to actual policy * Update website/content/docs/concepts/host-discovery/aws.mdx Co-authored-by: Johan Brandhorst-Satzkorn <johan.brandhorst@gmail.com> --------- Co-authored-by: Johan Brandhorst-Satzkorn <johan.brandhorst@gmail.com>
10 months ago · eb753e07ec
parent e0c130a938
commit eb753e07ec
1 changed files with 14 additions and 18 deletions
--- a/website/content/docs/concepts/host-discovery/aws.mdx
+++ b/website/content/docs/concepts/host-discovery/aws.mdx
@ -82,24 +82,20 @@ Perform the following steps to set up a host catalog using [AssumeRole](https://

 1. Deploy a self-managed worker in your AWS account. The worker must be in the same VPC as the hosts you want to access using the dynamic host catalog. Consider [adding worker tags](/boundary/docs/concepts/filtering/worker-tags) to make it easier to route traffic through it using a worker filter later on.

-1. Create an IAM role with the `AmazonEC2ReadOnlyAccess` policy attached. This policy should match the following:
+1. Create an IAM role with the `AmazonEC2ReadOnlyAccess` policy attached, or define a custom policy with the `ec2:DescribeInstances` action allowed for all resources. This policy should contain the following, at least:

   ```json
   {
-       "Version": "2012-10-17",
-       "Statement": [
-           {
-               "Effect": "Allow",
-               "Action": [
-                   "sts:AssumeRole"
-               ],
-               "Principal": {
-                   "Service": [
-                       "ec2.amazonaws.com"
-                   ]
-               }
-           }
-       ]
+     "Version": "2012-10-17",
+     "Statement": [
+       {
+         "Action": [
+           "ec2:DescribeInstances"
+         ],
+         "Effect": "Allow",
+         "Resource": "*"
+       }
+     ]
   }
   ```

@ -285,12 +281,12 @@ Apply the following Terraform policy:

    attributes_json = jsonencode({
      "region" = "eu-west-2",
-      "disable_credential_rotation" = true })
-    secrets_json = jsonencode({
+      "disable_credential_rotation" = true,
      "role_arn" = "AWS_ROLE_ARN_VALUE",
      "role_external_id" = "AWS_ROLE_EXTERNAL_ID_VALUE",
      "role_session_name" = "AWS_ROLE_SESSION_NAME_VALUE",
-      "role_tags" = "AWS_ROLE_TAGS_VALUE"})
+      "role_tags" = "AWS_ROLE_TAGS_VALUE"
+    })
  }
  ```