AWS auth method cross account access

Hi. I am using aws auth method to get secrets from vault. That works fine if vault and the ec2 instance requesting the secrets are in the same aws account. The documentation describes the cross account access configuration as following:

For each target AWS account ID, you configure the IAM Role for Vault to assume using the auth/aws/config/sts/<account_id> and Vault will use credentials from assuming that role to validate IAM principals and EC2 instances in the target account.

How can I do that? How can ich configure the access to the other account? How can I see the current configuration?

I figured it out. You can set a sts role with an api call as described here:


curl \
  --header "X-Vault-Token: ..." \
  --request POST \
  --data @payload.json \

Sample payload:

  "sts_role": "arn:aws:iam:111122223333:role/myRole"

Does anybody know if it is possible to set an sts role per cli?

Please check vault-guides/ at master · hashicorp/vault-guides · GitHub . vault write auth/aws/config/sts/190840704773 sts_role=arn:aws:iam::190840704773:role/VaultAccess command should do the job.