====== Trust Policy ======

**What it is:** A role policy that defines **who/what can assume the role**.

**What it’s for:**
  * Control which principal (user/role/service) can call AssumeRole.

**Key ideas:**
  * Trust policy is a kind of **resource-based policy** attached to the role itself.
  * Common principals:
    * AWS service principal (e.g., ec2.amazonaws.com)
    * Another AWS account or role (cross-account)
    * OIDC identity provider (for EKS IRSA)

**Exam cues:**
  * “role can’t be assumed” → check trust policy.
  * “allow EC2 to assume role” → trust policy must include EC2 service principal.

**Hard words:**
  * *principal* /ˈprɪnsəpəl/: chủ thể (ai đang yêu cầu quyền)
  * *provider* /prəˈvaɪdər/: nhà cung cấp (ví dụ identity provider)