Vault AWS AssumeRole & Wildcards

Trying to figure out the most idiomatic way to provision an assume_role cred for my large, dynamic AWS environment with 800+accounts.

My thought was to provision a vault role in each account and allow my vault role to assume it. Unfortunately it seems that the allowed role arns field does not support wildcards, meaning id have to watch for new accounts and provision a new entry in this field. This just does not feel right – is there a more idiomatic solution I am missing?

PoC MR: Allow wildcards in AssumeRole by bdwyertech · Pull Request #21741 · hashicorp/vault · GitHub