AWS IAM documentation change
Summary
Added PowerShell V5 examples for AssumeRoleWithWebIdentity including policy scope limitations
Security assessment
The examples demonstrate proper security practices by emphasizing policy permission boundaries ('cannot grant more permissions than available in the role'), which helps prevent privilege escalation through proper policy configuration
Diff
diff --git a/IAM/latest/UserGuide/sts_example_sts_AssumeRoleWithWebIdentity_section.md b/IAM/latest/UserGuide/sts_example_sts_AssumeRoleWithWebIdentity_section.md index 8a3ef9dc2..28864f8f3 100644 --- a//IAM/latest/UserGuide/sts_example_sts_AssumeRoleWithWebIdentity_section.md +++ b//IAM/latest/UserGuide/sts_example_sts_AssumeRoleWithWebIdentity_section.md @@ -71,0 +72,14 @@ PowerShell +**Tools for PowerShell V5** + + +**Example 1: Returns a temporary set of credentials, valid for one hour, for a user who has been authenticated with the Login with Amazon identity provider. The credentials assume the access policy associated with the role identified by the role ARN. Optionally, you can pass a JSON policy to the -Policy parameter that further refine the access permissions (you cannot grant more permissions than are available in the permissions associated with the role). The value supplied to the -WebIdentityToken is the unique user identifier that was returned by the identity provider.** + + + Use-STSWebIdentityRole -DurationInSeconds 3600 -ProviderId "www.amazon.com" -RoleSessionName "app1" -RoleArn "arn:aws:iam::123456789012:role/FederatedWebIdentityRole" -WebIdentityToken "Atza...DVI0r1" + + + * For API details, see [AssumeRoleWithWebIdentity](https://docs.aws.amazon.com/powershell/v5/reference) in _AWS Tools for PowerShell Cmdlet Reference (V5)_. + + + +