I followed the docs https://www.vaultproject.io/docs/auth/aws
I keep getting
Error authenticating: Error making API request.
URL: PUT http://0.0.0.0:8200/v1/auth/aws/login
Code: 400. Errors:
* error parsing arn "arn:aws:iam::xxxxxxxxxxxx:root": unrecognized arn: "root" contains fewer than 2 slash-separated parts
Prob a config issue. Can you share all your vault write commands used to configure someone might spot the issue.
And also the vault login command you’re using to test this out.
Is there a reason you’re using 0.0.0.0 vs 127.0.0.1? That might be confusing the listener if you’re local with multiple interfaces, but it seems to be connecting fine so not the issue… just curious.
This might be because you are using the accessKeyId and accessKey of a root user instead of IAM user. I run into the same issue, after I change to use accessKeyId and accessKey of a new create IAM user (Creating an IAM user in your AWS account - AWS Identity and Access Management), it works fine.
I tried that but it did not work for me.
Even created a brand new user with both console and programmatic access and attached the policy as specified in the documentation.
Please, share the details about this IAM user you created when it worked - what policies did you assign to that user?
I tried with an existing one - that did not work - and then created a brand new one and assigned that user the AWS policy that I attached to the AWS role. That role is mapped to the role in Vault.
Here are the commands I am executing in sequence. Just fill in the place holders for the creds and for the AWS account number.
vault secrets enable kv
vault kv put secret/awsauthdemo/config ttl=10m username=devuser password=b3st4secret
vault policy write awsauth awsauth.hcl
vault auth enable aws
vault write auth/aws/config/client secret_key=<secret_key> access_key=<access_key>
vault write auth/aws/role/awsauth-role-iam
auth_type=iam
bound_iam_principal_arn=“arn:aws:iam::<my_aws_account>:role/vault_aws_role”
policies=awsauth ttl=48h
vault write auth/aws/config/client iam_server_id_header_value=vault.example.com
vault login -method=aws header_value=vault.example.com role=awsauth-role-iam
Thanks in advance for your help 
OK, I managed to get past that after realizing that configuring the access and secret keys into the auth/aws/config/client does NOT work - it write the keys but they are not used during the login call - the root AWS account keys are used because they are configured in the default location ~/.aws/credentials. Instead I passed the IAM user keys when I executed the login command:
vault login -method=aws header_value=vault.example.com role=awsauth-role-iam aws_access_key_id=<IAM_user_access_key> aws_secret_access_key=<IAM_user_secret_key>
But, I have another error. Any suggestions would be welcome.
Error authenticating: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/auth/aws/login
Code: 400. Errors:
IAM Principal “arn:aws:iam::<aws_account_number>:user/vaultiam” does not belong to the role "awsauth-role-iam"
And here is my command for creating the role in Vault:
vault write auth/aws/role/awsauth-role-iam \
auth_type=iam \
bound_iam_principal_arn="arn:aws:iam::<aws_accoount_number>:role/vault-aws-auth-role" resolve_aws_unique_ids=true \
policies=awsauth ttl=24h
===
OK guys, for everyone who is still experiencing this problem, if you have the root keys configured under ~/.aws/credentials, then even though you’ve configured the Vault AWS auth client with the keys of an IAM user, Vault will still try to use the root keys, if available. The way around that is to pass the IAM user’s access and secret keys in the login call:
vault login -method=aws header_value=vault.example.com role=awsauth-role-iam aws_access_key_id=<IAM_user_access_key> aws_secret_access_key=<IAM_user_secret_key>.
That solves the problem. Alternatively, you can run aws configure, and create a new profile with that user’s keys but then you need to figure out how to tell Vault to use that AWS profile and not the default one containing the root keys.