we’re trying to restrict our existing AppRoles so that they can only be used by certain CIDRs. Looking at the API docs at https://www.vaultproject.io/api-docs/auth/approle, it should be possible by writing to /auth/approle/role/:role_name/token-bound-cidrs.
When trying this using
vault write /auth/approle/role/my-role/token-bound-cidrs token_bound_cidrs=my-cidr
vault returns a 500 with the error message “role_id already in use”.
Our current vault version is 1.2.2. The documentation didn’t mention that this should not be possible, so I’m wondering whether this is the intended behavior (especially because a 500 error is returned).