IAM Role Trust Policies: Misconfigurations Hiding in Plain Sight
token.securityThe instance profile example makes it seem like you need to specify the account for "Service": "ec2.amazonaws.com" just with another syntax, while service principals are always in the same account AFAIK.