AWS auth method - How to use the vault CLI with IAM role?

CC @joelthompson

From my desktop, I am trying to validate that my AWS IAM role is configured correctly and can generate vault tokens.

$ vault write --address auth/aws/role/aws-auth-role--iam-role auth_type=iam bound_iam_principal_arn=arn:aws:iam::123456789012:role/vault-iam-auth
Success! Data written to: auth/aws/role/aws-auth-role--iam-role

$ AWS_PROFILE=vault-iam-auth aws sts get-caller-identity                                                
    "UserId": "AROAXWVUO3XXXXXXXXXX:botocore-session-1585808549",
    "Account": "123456789012",
    "Arn": "arn:aws:sts::123456789012:assumed-role/vault-iam-auth/botocore-session-1585808549"

but to my surprise, this does NOT work

$ AWS_PROFILE=vault-iam-auth vault login --address -method=aws role=aws-auth-role--iam-role
Error authenticating: failed to retrieve credentials from credential chain: NoCredentialProviders: no valid providers in chain. Deprecated.
	For verbose messaging see aws.Config.CredentialsChainVerboseErrors

How can I validate that my role can access vault?

I am trying to configure vault to be usable with my ECS tasks.
Note that the role attached to my ECS tasks will be trusting the service (in the assume policy). For the role above, the assume policy is pointing to arn:…:123456789012:user/root (i.e. all users in my account))

Compared to users or role assumed by users, the credentials used by ECS task are ephemeral and not only use and AWS_ACCESS_KEY_ID and an AWS_SECRET_ACCESS_KEY, but also a AWS_SESSION_TOKEN. Not sure the vault CLI is taking the AWS_SESSION_TOKEN into consideration above…

Well to answer my own question, I found that the aws-cli reads role-profiles differently from vault.
For example, in the get-caller identity above, the aws-cli execute an ‘aws iam assume-role’ to fetch the role credentials and then sends the ‘aws sts get-caller-identity’ with those role-credentials.

Vault does not do that. As a result, in the vault command above, instead of passing AWS_PROFILE=“role-profile-name” , you need to pass explicitly the values of AWS_ACCESS_KEY_ID=… AWS_SECRET_ACCESS_KEY=… and AWS_SESSION_TOKEN=…

The values of those variables can be obtained with

aws  --profile <user-profile-name> sts assume-role --duration-seconds 900   --role-arn arn:aws:iam::123456789012:role/vault-iam-auth --role-session-name vault-iam-auth-session