Could not associate identities to auth/aws roles


I’m trying to create a Vault role (awsjohndoe) and attach it with an identity (johndoe) using an entity-alias.
Unfortunately, the role does not inherit the identity policy. I think there may be an issue with entity-alias that would not associate properly to awsjohndoe.
This code works properly if i use auth/userpass instead of auth/aws.
Do you have any suggestion?

vault write auth/aws/role/awsjohndoe auth_type=iam bound_iam_principal_arn="arn:aws:iam::123456123456:role/project/element"
vault auth list -format=json | jq -r '.["aws/"].accessor' > $ACCESSOR
vault write -format=json identity/entity name="johndoe" policies="johndoeentitypolicy" | jq -r "" > $ENTITY_ID
vault write -format=json identity/entity-alias name="awsjohndoe" canonical_id=$(cat $ENTITY_ID) mount_accessor=$(cat $ACCESSOR)

Result :

Key                                Value
---                                -----
token                              s.danMTm3cEdtGkNLk0UGIbg0P
token_accessor                     eDZnhFRe7fNxU3AzhBRUUzWz
token_duration                     xhxxmxxs
token_renewable                    true
token_policies                     ["default"]
identity_policies                  []
policies                           ["default"]
token_meta_client_arn              arn:aws:sts::123456123456:assumed-role/element/i-1234561234561234
token_meta_client_user_id          A12312312312312313
token_meta_inferred_aws_region     n/a
token_meta_inferred_entity_id      n/a
token_meta_inferred_entity_type    n/a
token_meta_account_id              123456123456
token_meta_auth_type               iam
token_meta_canonical_arn           arn:aws:iam::123456123456:role/assumed-role


The AWS alias identifier is, by default, the role’s generated unique ID. More info here

Try setting the alias name to the role ID:

vault read -format json auth/aws/role/awsjohndoe | jq -r ".data.role_id" > $ROLE_ID
vault write -format=json identity/entity-alias name=$(cat $ROLE_ID) canonical_id=$(cat $ENTITY_ID) mount_accessor=$(cat $ACCESSOR)


I cannot get role_id returned by command vault read -format json auth/aws/role/awsjohndoe (I am using Vault 1.1.1), so I decided to set alias to the unique_id to match with Principal IAM id and it is working fine.
Thanks for your precious help!