Update AWS config

[mindymo]

Per https://conductorone.atlassian.net/browse/DOCS-436

Summary by CodeRabbit

• Documentation
  • Updated AWS Trust Policy configuration guidance with granular IAM permission statements including minimum required permissions.
  • Removed documented limitation for cross-account Assume Role functionality.
  • Added documentation for optional organization support and account alias configurations in policy statements.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Documentation update to AWS IAM configuration guidance, removing a cross-account limitation statement and restructuring the Trust Policy JSON from a single statement to multiple granular permission statements covering minimum requirements, optional organizations support, and account alias features.

Changes

Cohort / File(s)	Summary
AWS Documentation Update baton/aws-v2.mdx	Removed Known limitations subsection for cross-account Assume Role; restructured Trust Policy JSON from single statement to multiple statements including minimum IAM permissions, optional organizations integration, and optional account aliases support; removed narrative Action/Principal explanations; adjusted JSON formatting.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 AWS permissions refined with care,
Cross-account walls no longer there,
Trust policies now granular and clear,
Organizations and aliases appear,
Documentation hops into the light!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Update AWS config' is vague and generic, failing to clearly convey the specific nature of the changes (trust policy restructuring, permission updates, and removal of limitations documentation).	Consider a more specific title that captures the main change, such as 'Restructure AWS trust policy with minimum permissions and optional organizational support' or similar to better reflect the substantive documentation updates.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @baton/aws-v2.mdx:
- Around line 70-113: The JSON shown is invalid because it contains
JavaScript-style comments and is the wrong type of policy: it lists permissions
(iam:List*, iam:Get*, etc.) which belong in an inline permissions policy, not a
Trust Policy; replace the code block with a valid Trust Policy that includes a
Principal and sts:AssumeRole (similar to the example using "Principal": {"AWS":
"arn:aws:iam::...:role/ConductorOneService"} and a Condition for
"sts:ExternalId"), move the iam:* actions out of the Trust Policy and instead
show them as a separate inline permissions policy in the next step, and remove
all // comments from any JSON blocks (put explanatory notes as markdown text
before/after the JSON instead).
- Line 93: Fix the typo in the documentation string that currently reads
"ConductorOn e UI" by removing the stray space and changing it to "ConductorOne
UI" wherever that exact phrase appears (e.g., the comment line containing "//
Optional: Include this statement if you enable "Enable support for AWS
Organizations" checkbox in the ConductorOn e UI"); update the text to read "//
Optional: Include this statement if you enable "Enable support for AWS
Organizations" checkbox in the ConductorOne UI".

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ef2dec3 and e2e3ea7.

📒 Files selected for processing (1)

• baton/aws-v2.mdx

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Invalid JSON: Comments are not allowed in standard JSON.

The JSON block contains JavaScript-style comments (//), which are not valid JSON syntax. When users paste this directly into the AWS IAM Trust Policy JSON editor, it will fail to parse and be rejected.

Additionally, this appears to be structured as a Permissions Policy (with iam:List*, iam:Get* actions) rather than a Trust Policy. A Trust Policy should define who can assume the role using a Principal element and sts:AssumeRole action, similar to the SSO setup example at lines 246-264.

Consider:

1. Moving the comments outside the JSON block as markdown explanations (like the notes section at lines 167-172)
2. Providing the correct Trust Policy structure with Principal for cross-account access, then adding these permissions as an inline policy in the subsequent step

Example of valid Trust Policy structure (from SSO section)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::765656841499:role/ConductorOneService"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "EXTERNAL_ID_FROM_C1_INTEGRATIONS_PAGE"
        }
      }
    }
  ]
}

🤖 Prompt for AI Agents

In @baton/aws-v2.mdx around lines 70 - 113, The JSON shown is invalid because it
contains JavaScript-style comments and is the wrong type of policy: it lists
permissions (iam:List*, iam:Get*, etc.) which belong in an inline permissions
policy, not a Trust Policy; replace the code block with a valid Trust Policy
that includes a Principal and sts:AssumeRole (similar to the example using
"Principal": {"AWS": "arn:aws:iam::...:role/ConductorOneService"} and a
Condition for "sts:ExternalId"), move the iam:* actions out of the Trust Policy
and instead show them as a separate inline permissions policy in the next step,
and remove all // comments from any JSON blocks (put explanatory notes as
markdown text before/after the JSON instead).

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Typo: "ConductorOn e UI" should be "ConductorOne UI".

There's an errant space in the middle of "ConductorOne".

Suggested fix

-          // Optional: Include this statement if you enable "Enable support for AWS Organizations" checkbox in the ConductorOn e UI
+          // Optional: Include this statement if you enable "Enable support for AWS Organizations" checkbox in the ConductorOne UI

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// Optional: Include this statement if you enable "Enable support for AWS Organizations" checkbox in the ConductorOn e UI
	// Optional: Include this statement if you enable "Enable support for AWS Organizations" checkbox in the ConductorOne UI

🤖 Prompt for AI Agents

In @baton/aws-v2.mdx at line 93, Fix the typo in the documentation string that
currently reads "ConductorOn e UI" by removing the stray space and changing it
to "ConductorOne UI" wherever that exact phrase appears (e.g., the comment line
containing "// Optional: Include this statement if you enable "Enable support
for AWS Organizations" checkbox in the ConductorOn e UI"); update the text to
read "// Optional: Include this statement if you enable "Enable support for AWS
Organizations" checkbox in the ConductorOne UI".