docs: Change wording for AssumeRole permissions in AWS secrets (hashi…

…corp#19823)

Co-authored-by: wernerwws <[email protected]>

website/content/docs/secrets/aws.mdx

@@ -355,37 +355,36 @@ authentication or single sign-on (SSO) scenarios. In order to use an
  instance in an IAM instance profile) can retrieve `assumed_role` credentials
  (but cannot retrieve `federation_token` credentials).
 
-The `aws/config/root` credentials must have an IAM policy that allows `sts:AssumeRole`
-against the target role:
+The `aws/config/root` credentials must be allowed `sts:AssumeRole` through one of
+two methods:
 
-```javascript
-{
- "Version": "2012-10-17",
- "Statement": {
- "Effect": "Allow",
- "Action": "sts:AssumeRole",
- "Resource": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/RoleNameToAssume"
- }
-}
-```
-
-You must attach a trust policy to the target IAM role to assume, allowing
-the aws/root/config credentials to assume the role.
+1. The credentials have an IAM policy attached to them against the target role:
+ ```javascript
+ {
+ "Version": "2012-10-17",
+ "Statement": {
+ "Effect": "Allow",
+ "Action": "sts:AssumeRole",
+ "Resource": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/RoleNameToAssume"
+ }
+ }
+ ```
 
-```javascript
-{
- "Version": "2012-10-17",
- "Statement": [
+1. A trust policy is attached to the target IAM role for the principal:
+ ```javascript
  {
- "Effect": "Allow",
- "Principal": {
- "AWS": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/VAULT-AWS-ROOT-CONFIG-USER-NAME"
- },
- "Action": "sts:AssumeRole"
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Principal": {
+ "AWS": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/VAULT-AWS-ROOT-CONFIG-USER-NAME"
+ },
+ "Action": "sts:AssumeRole"
+ }
+ ]
  }
- ]
-}
-```
+ ```
 
 When specifying a Vault role with a `credential_type` of `assumed_role`, you can
 specify more than one IAM role ARN. If you do so, Vault clients can select which