Issue with vault aws iam authentification

Hello,

I have an issue when i want to authenticate using aws iam authentification of vault.
What I want to do is to be able to connect from another aws account to the vault, I want that any roles can request the vault since I don’t want to add them myself everytime the owner of the other account create a new role for his ec2 or lambda.

I saw in the documentation that it is possible to put a wildcard in “bound_iam_principal_arn”.
Here is my configuration for my role in vault :

{
  "request_id": "478a791d-67c4-b7a3-8832-d8a831811eca",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "allow_instance_migration": false,
    "auth_type": "iam",
    "bound_account_id": [],
    "bound_ami_id": [],
    "bound_ec2_instance_id": null,
    "bound_iam_instance_profile_arn": [],
    "bound_iam_principal_arn": [
      "arn:aws:iam::123456789012:role/*"
    ],
    "bound_iam_principal_id": [],
    "bound_iam_role_arn": [],
    "bound_region": [],
    "bound_subnet_id": [],
    "bound_vpc_id": [],
    "disallow_reauthentication": false,
    "inferred_aws_region": "",
    "inferred_entity_type": "",
    "policies": [
      "aws_dev"
    ],
    "resolve_aws_unique_ids": true,
    "role_id": "10b537cb-86c6-7154-4cd1-9ad294c525dc",
    "role_tag": "",
    "token_bound_cidrs": [],
    "token_explicit_max_ttl": 0,
    "token_max_ttl": 0,
    "token_no_default_policy": false,
    "token_num_uses": 0,
    "token_period": 0,
    "token_policies": [
      "aws_dev"
    ],
    "token_ttl": 0,
    "token_type": "default"
  },
  "wrap_info": null,
  "warnings": null,
  "auth": null
}

My STS role (the role name is the account number where the STS is):

{
  "request_id": "f9e690b2-87d7-0b63-de4f-bda8a04a0ed5",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "sts_role": "arn:aws:iam::123456789012:role/test-assume-role-from-vault-dev"
  },
  "wrap_info": null,
  "warnings": null,
  "auth": null
}

Here is the aws policy attach to :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "iam:GetInstanceProfile",
                "iam:GetUser",
                "iam:GetRole"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

I have also a trust relationship that allow me to do assume role in the other account.

curl -X POST "http://<URL>/v1/auth/aws/login" -d '{
    "role":"dev",
    "iam_http_request_method": "POST",
    "iam_request_url": " ",
    "iam_request_body":" ", 
    "iam_request_headers": " " }'

I wanted to use this curl command to login using aws iam auth of vault from an ec2 in the another account. I understood that it have to be encode in Base64 (https://www.vaultproject.io/api-docs/auth/aws/#iam_http_request_method) :

Those informations give in the documentation doesn’t have to be change ?
Only “iam_request_headers” must be unique, but where can I get it ?