Does Consul Connect support IAM auth to Vault as a CA?

I have a Vault instance set up using IAM Profiles for auth. This works fine with Vault Agent, and other things, but I can’t get my Consul server to use an IAM profile for authentication to Vault.

At the command line, I can log into vault with my IAM role and get a token, but I can’t get the settings right to do this with Consul.

The relevant stanza:

        auth_method = {
            type = "iam"
            mount_path = "auth/aws"
            params = {
                role = "consul-server"

But the Vault audit log always shows that the auth method is "token_type": "default"

Maybe Consul Connect doesn’t support using IAM Profiles for authentication to Vault?

Any help appreciated!

Since discovered that when you update the ca_config stanza for a server, if the settings aren’t correct, they’re just ignored with no entry in syslog that there was an issue. If I try to apply the same settings through something like:

consul connect ca set-config -config-file=ca_config.json

That generates an actual error. Progress!

I’m not sure if this is one, but Consul has quite a lot of settings that can be placed in the config file, which are only used when bootstrapping a new cluster, and thereafter need to be adjusted via the API.

I’m discovering! We’ve been building up our environment using Ansible to generate .hcl files, so this difference is something that’s significant. I currently using consul connect ca set-config -config-file=/path/to/file instead and that does work to update the config. Still not working to do IAM AWS authentication yet, though.