Hi,
I’m trying to create a Vault role (awsjohndoe) and attach it with an identity (johndoe) using an entity-alias.
Unfortunately, the role does not inherit the identity policy. I think there may be an issue with entity-alias that would not associate properly to awsjohndoe.
This code works properly if i use auth/userpass instead of auth/aws.
Do you have any suggestion?
vault write auth/aws/role/awsjohndoe auth_type=iam bound_iam_principal_arn="arn:aws:iam::123456123456:role/project/element"
vault auth list -format=json | jq -r '.["aws/"].accessor' > $ACCESSOR
vault write -format=json identity/entity name="johndoe" policies="johndoeentitypolicy" | jq -r ".data.id" > $ENTITY_ID
vault write -format=json identity/entity-alias name="awsjohndoe" canonical_id=$(cat $ENTITY_ID) mount_accessor=$(cat $ACCESSOR)
Result :
Key Value
--- -----
token s.danMTm3cEdtGkNLk0UGIbg0P
token_accessor eDZnhFRe7fNxU3AzhBRUUzWz
token_duration xhxxmxxs
token_renewable true
token_policies ["default"]
identity_policies []
policies ["default"]
token_meta_client_arn arn:aws:sts::123456123456:assumed-role/element/i-1234561234561234
token_meta_client_user_id A12312312312312313
token_meta_inferred_aws_region n/a
token_meta_inferred_entity_id n/a
token_meta_inferred_entity_type n/a
token_meta_account_id 123456123456
token_meta_auth_type iam
token_meta_canonical_arn arn:aws:iam::123456123456:role/assumed-role