Vault AWS auth method -- how to use wildcards in bound_iam_principal_arn?

The documentation states that

The bound ARN allows specifying a wildcard at the end of the bound ARN. For example, if the bound ARN were  `arn:aws:iam::123456789012:*`  it would allow any principal in AWS account 123456789012 to login to it. Similarly, if it were  `arn:aws:iam::123456789012:role/*`  it would allow any IAM role in the AWS account to login to it.


$ vault write --address auth/aws/role/aws-auth-role--iam-user auth_type=iam bound_iam_principal_arn='arn:aws:sts::0123456789012:user/VMWare'

$ vault login --address -method=aws role=aws-auth-role--iam-user
Success! You are now authenticated. The token information displayed below
Key                                Value
---                                -----
token                              s.xDrDViqeFEhdOpTHihe4qSth

but based on the documentation, this should work but doesn’t !

$ vault write --address auth/aws/role/aws-auth-role--iam-user auth_type=iam bound_iam_principal_arn='arn:aws:sts::123456789012:*'
Success! Data written to: auth/aws/role/aws-auth-role--iam-user

vault login --address -method=aws role=aws-auth-role--iam-user
Error authenticating: Error making API request.

Code: 400. Errors:

* IAM Principal "arn:aws:iam::123456789012:user/VMWare" does not belong to the role "aws-auth-role--iam-user"

CC @joelthompson

The reason is because your bound_iam_principal_arn is arn:aws:sts::123456789012:* while your actual principal is arn:aws:iam::123456789012:user/VMWare. Change sts to iam in your bound_iam_principal_arn.

Thanks. It works now!