What it is: A role policy that defines who/what can assume the role.

What it’s for:

• Control which principal (user/role/service) can call AssumeRole.

Key ideas:

• Trust policy is a kind of resource-based policy attached to the role itself.
• Common principals:
  • AWS service principal (e.g., ec2.amazonaws.com)
  • Another AWS account or role (cross-account)
  • OIDC identity provider (for EKS IRSA)

Exam cues:

• “role can’t be assumed” → check trust policy.
• “allow EC2 to assume role” → trust policy must include EC2 service principal.

Hard words:

• *principal* /ˈprɪnsəpəl/: chủ thể (ai đang yêu cầu quyền)
• *provider* /prəˈvaɪdər/: nhà cung cấp (ví dụ identity provider)