I have been experimenting with using the AWS secrets backend to generate dynamic
assumed_role credentials. I would like to be able to revoke the lease associated with these credentials, however, when I attempt to revoke the lease for an
assumed_role credential using the Vault CLI it succeeds with the following output:
Success! Revoked lease: aws/creds/my-app/<lease-id>
Even though the CLI says the lease was revoked, the credentials associated with it are still valid. I confirmed that revoking leases for
iam_user AWS secrets invalidates the credentials as expected so this behavior appears to be limited to
assumed_role AWS secrets.
Is this expected behavior for
assumed_role secrets or am I perhaps missing a configuration option?