From fd1fab4c469d25601f1c5d0d78fda94da143c7cc Mon Sep 17 00:00:00 2001
From: Michael Lehmann <lehmanmj@amazon.com>
Date: Tue, 4 Nov 2025 15:25:54 -0800
Subject: [PATCH] Update README.md (#1544)

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index fdb0138..4e3f56d 100644
--- a/README.md
+++ b/README.md
@@ -447,6 +447,8 @@ In this two-step example, the first step will use OIDC to assume the role
 example. Following that, a second step will use this role to assume a different
 role, `arn:aws:iam::987654321000:role/my-second-role`.
 
+Note that the trust relationship/trust policy of the second role must grant the permissions `sts:AssumeRole` and `sts:TagSession` to the first role. (Or, alternatively, the `TagSession` permission can be omitted if you are using the `role-skip-session-tagging: true` flag for the second step.)
+
 ### AssumeRole with static IAM credentials in repository secrets
 ```yaml
     - name: Configure AWS Credentials