For Stuart to assume this role via the AWS Management Console, he also needs the required permissions to allow him to assume the role. Again, a policy is required to enable the user to do that, and it looks as follows:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::730739171055:role/CrossAccountRDS"
}
}
This role uses an Action parameter, which uses the Secure Token Service (STS) permission of AssumeRole against the resource in the trusting account. You can also use, for example, wildcards in the ARN of Resource. If you wanted Stuart to assume any role in the trusting account, you could use * as a wildcard, which would then look as follows:
"Resource": "arn:aws:iam::730739171055:role/*"
Now, the cross-account role has been created, and a policy that...