I am trying to set up Entities in Vault and map them to AWS auth roles, but have stumbled across some counter-intuitive behavior.
Here are the basic commands I am using:
# Create AWS auth role and capture its role_id
#################################################
vault write \
auth/aws/role/my-role \
auth_type=iam \
bound_iam_principal_arn="${IAM_ROLE_ARN}"
ROLE_ID=$(vault read auth/aws/role/my-role \
-format=json | jq -r .data.role_id)
# Create an Entity and capture its ID
#################################################
vault write \
identity/entity \
name=my-entity \
policies=my-policy
ENTITY_ID=$(vault read identity/entity/name/my-entity \
-format=json | jq -r '.data.id')
# Get the accessor of the AWS auth mount
#################################################
ACCESSOR=$(vault auth list -format=json \
| jq -r '.["aws/"].accessor')
# Associate the AWS auth role `my-role` as an alias of
# the entity `my-entity`
#################################################
vault write \
identity/entity-alias \
canonical_id="${ENTITY_ID}" \
name="${ROLE_ID}" \
mount_accessor="${ACCESSOR}"
This all seems to work as expected, but only if there are no login attempts made before the alias has been set up. If there is a successful login for that AWS auth role before I associate the alias, an “implicit entity” gets created in Vault (e.g., entity_c3c9f63f), and it is aliased to the AWS auth role. Based on my reading of the documentation, this is normal and to-be-expected. However, if I subsequently attempt to create an alias from the AWS auth role to the entity I explicitly created (not the implicitly-created one), it does not work. I get Success! Data written to: identity/entity-alias, but no alias is created. Whenever I log in using the AWS auth role, my token does not have the expected policies via identity_policies (which, in the absence of an alias, makes sense).
If I delete the implicit entity, I can run the same vault write identity/entity-alias command and it will create the desired alias, and I can log in and get a token with the expected policies.
Is this somehow expected behavior?
This is on Hosted Vault, 1.8.2+ent.
Thanks in advance.