AWS IAM assumed-role principals can't assume Vault role

We are invoking vault login ... -method aws role=platform-infrastructure-deployer within our build pipeline. Below is that Vault role:

$ vault read auth/aws/role/platform-infrastructure-deployer
Key                               Value
---                               -----
allow_instance_migration          false
auth_type                         iam
bound_account_id                  []
bound_ami_id                      []
bound_ec2_instance_id             <nil>
bound_iam_instance_profile_arn    []
bound_iam_principal_arn           [arn:aws:sts::<REDACTED>:assumed-role/platform-infrastructure-deploy/buildkite-job-*]
bound_iam_principal_id            []
bound_iam_role_arn                []
bound_region                      []
bound_subnet_id                   []
bound_vpc_id                      []
disallow_reauthentication         false
inferred_aws_region               n/a
inferred_entity_type              n/a
resolve_aws_unique_ids            true
role_id                           <REDACTED>
role_tag                          n/a
token_bound_cidrs                 []
token_explicit_max_ttl            1h
token_max_ttl                     0s
token_no_default_policy           false
token_num_uses                    0
token_period                      0s
token_policies                    [allow-buildkite-read-platform-infrastructure-deployment-secrets-development]
token_ttl                         0s
token_type                        default

At that point the build pipeline has this AWS STS indentity:

{ "Account": "<REDACTED>", "UserId": "<REDACTED>:buildkite-job-<REDACTED>", "Arn": "arn:aws:sts::<REDACTED>:assumed-role/platform-infrastructure-deploy/buildkite-job-<REDACTED>" }

However it gets the below error from Vault during login:

Code: 400. Errors:
* IAM Principal "arn:aws:sts::<REDACTED>:assumed-role/platform-infrastructure-deploy/buildkite-job-<REDACTED>" does not belong to the role "platform-infrastructure-deployer"

Maybe this would work using the request-signer script but I don’t want to resort to that if possible and keep using vault-cli for generating the signed request.

Is there a way to make assumed STS role principals work in AWS auth using the vault-cli?

This is now resolved!

I added the IAM role itself to the list of bound principal ARNs and that fixed it.