We are utilizing the AWS Secrets Engine to create IAM users in AWS. The users were originally created with the root token. We are trying to rotate the root token now, but even when we set the revoke mode to be orphan, the users created with that original root token disappear once revoking. Is there a way to disassociate these users from the token that created them?
Enabled secrets engine and created credentials
vault secrets enable -path=aws-test aws vault write aws-test/config/root access_key=*** secret_key=*** region=us-east-1 vault write aws-test/config/lease lease=10920h lease_max=10920h vault secrets tune -max-lease-ttl=10920h -default-lease-ttl=10920h aws-test vault write aws-test/roles/testme_policy arn=arn:aws:iam::***:policy/testme_policy vault read aws-test/creds/testme_policy
At this point I can use the AWS console or cli to confirm the user was created with the access key returned and associated with that policy.
Regenerate Root Token and Revoke original
vault operator generate-root -init vault operator generate-root -nonce=*** vault operator generate-root -decode=*** -otp=*** vault token revoke -mode=orphan <original root token>
At this point I can use the AWS console or cli to confirm the user that was previously created is now gone.