Any problems with making the role_id

We’re using Terraform to onboard new Vault customers. For app_role, the default behavior is to make a GUID as the role_id for a given role. However, vault_approle_auth_backend_role does have an optional attribute to set the role_id to be something human-readable and meaningful, and then since that has to match the name of a vault_identity_entity_alias, it’s immediately obvious to know what app_role an application is using.

Are there any reasons NOT to set the role_id to be the same as the role_name?

It seems like a perfectly reasonable thing to do to me.

Just make sure you do actually delete the identity entity as well as the approle when decommissioning approles, as otherwise, deleting and later reusing a name would reassociate with the old entity, which might have been given additional permissions, that should not carry over.

1 Like