AWS emr documentation change
Summary
Updated IAM OIDC trust policy to use correct condition keys (OIDC_PROVIDER:aud, OIDC_PROVIDER:sub) and added Principal block
Security assessment
The change corrects the IAM OIDC trust policy by replacing aws:userid with OIDC_PROVIDER:sub and adding OIDC_PROVIDER:aud condition, aligning with OIDC security best practices. No evidence of a specific security issue.
Diff
diff --git a/emr/latest/EMR-on-EKS-DevelopmentGuide/jobruns-flink-kubernetes-operator-setup.md b/emr/latest/EMR-on-EKS-DevelopmentGuide/jobruns-flink-kubernetes-operator-setup.md index 2d0ab4f2e..58f7c1679 100644 --- a//emr/latest/EMR-on-EKS-DevelopmentGuide/jobruns-flink-kubernetes-operator-setup.md +++ b//emr/latest/EMR-on-EKS-DevelopmentGuide/jobruns-flink-kubernetes-operator-setup.md @@ -42,6 +42,4 @@ JSON - "Action": [ - "sts:AssumeRoleWithWebIdentity" - ], - "Resource": [ - "*" - ], + "Principal": { + "Federated": "arn:aws:iam::AWS_ACCOUNT_ID:oidc-provider/OIDC_PROVIDER" + }, + "Action": "sts:AssumeRoleWithWebIdentity", @@ -49,2 +47,4 @@ JSON - "StringLike": { - "aws:userid": "system:serviceaccount:emr:emr-containers-sa-flink-operator" + "StringEquals": { + "OIDC_PROVIDER:aud": "sts.amazonaws.com", + "OIDC_PROVIDER:sub": "system:serviceaccount:emr:emr-containers-sa-flink-operator" + } @@ -52,2 +51,0 @@ JSON - }, - "Sid": "AllowSTSAssumerolewithwebidentity"