The documentation states that
The bound ARN allows specifying a wildcard at the end of the bound ARN. For example, if the bound ARN were `arn:aws:iam::123456789012:*` it would allow any principal in AWS account 123456789012 to login to it. Similarly, if it were `arn:aws:iam::123456789012:role/*` it would allow any IAM role in the AWS account to login to it.
but
$ vault write --address http://127.0.0.1:8200 auth/aws/role/aws-auth-role--iam-user auth_type=iam bound_iam_principal_arn='arn:aws:sts::0123456789012:user/VMWare'
$ vault login --address http://127.0.0.1:8200 -method=aws role=aws-auth-role--iam-user
Success! You are now authenticated. The token information displayed below
...
Key Value
--- -----
token s.xDrDViqeFEhdOpTHihe4qSth
but based on the documentation, this should work but doesn’t !
$ vault write --address http://127.0.0.1:8200 auth/aws/role/aws-auth-role--iam-user auth_type=iam bound_iam_principal_arn='arn:aws:sts::123456789012:*'
Success! Data written to: auth/aws/role/aws-auth-role--iam-user
vault login --address http://127.0.0.1:8200 -method=aws role=aws-auth-role--iam-user
Error authenticating: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/auth/aws/login
Code: 400. Errors:
* IAM Principal "arn:aws:iam::123456789012:user/VMWare" does not belong to the role "aws-auth-role--iam-user"