opensearch-project · github-actions · Oct 13, 2025 · Oct 13, 2025
@@ -67,45 +67,45 @@ When creating the role, customize the following settings:
 
 - Add the following custom trust policy:
 
-      ```bash
-      { 
-         "Version": "2012-10-17",
-          "Statement": [
-              {
-                  "Effect": "Allow",
-                  "Principal": {
-                      "Service": [
-                          "opensearchservice.amazonaws.com"
-                      ]
-                  },
-                  "Action": "sts:AssumeRole"
-              }
-          ]
-      }
-      ```
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": [
+          "opensearchservice.amazonaws.com"
+        ]
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+```
 
 - On the Permissions policies page, add the `AmazonS3ReadOnlyAccess` permission. 
-   
+
 
 #### Cross-account S3 bucket connection
 
 Because the role ARN needs to be in the same account as the OpenSearch domain, a trust policy needs to be configured that allows the OpenSearch domain to download from S3 buckets from the same account.
 
 To download from an S3 bucket in another account, the trust policy for that bucket needs to give the role ARN permission to read from the object, as shown in the following example:
 
-```
+```json
 {
-    "Version": "2012-10-17",
-    "Statement": [
-     {
-            "Effect": "Allow",
-            "Principal": {
-                "AWS": "arn:aws:iam::123456789012:role/account-1-threat-intel-role"
-            },
-          "Action": "s3:*",
-            "Resource": "arn:aws:s3:::account-2-threat-intel-bucket/*"
-     }
- ]
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::123456789012:role/account-1-threat-intel-role"
+      },
+      "Action": "s3:*",
+      "Resource": "arn:aws:s3:::account-2-threat-intel-bucket/*"
+    }
+  ]
 }
 ```