AssumeRole Action in a Role's Trust Relationship Policy

Question

As per AWS documentation,

A user who wants to access a role in a different account must also have permissions that are delegated from the user account administrator. The administrator must attach a policy that allows the user to call AssumeRole for the ARN of the role in the other account.

I understand this requirement. However, I am not sure as to why an 'AssumeRole' action still need to be specified again in the 'Trust Relationship' of the role. It makes sense to allow/restrict a Principal (using 'AssumeRole' action) to assume a specific role and also the role being assumed to trust the assuming Principal (in its 'Trust Relationship'), but not sure why the role itself has to specify 'AssumeRole' action in its Trust relationship. The roles are always meant to be assumable - isnt it? Or alternately, what is the significance of specifying 'AssumeRole' action in the 'Trust relationship' of a role?

Answer 1

I'm not an AWS Roles expert, but as far as I know, the Trust Relationship Policy Document makes sense for two main reasons:

1. A role can be assumed not only with sts:AssumeRole action, but also with sts:AssumeRoleWithSAML and sts:AssumeRoleWithWebIdentity (docs here).

2. As the name "Trust Relationship Policy Document" says, it's also a policy document. So instead of creating a different template for Trust Relationship, AWS create a single policy template and uses it in all cases - this way we only need to learn the policy template once (docs here).