I have read the docs on this (AWS - Auth Methods | Vault by HashiCorp) but I don’t understand enough about the header_value to feel comfortable in my usage of it. While it does not fail, with my login requests I’ve set it to vault.service.consul everywhere (it works), and it doesn’t really make any sense to me after reading the docs a few times on it. Couldn’t anyone just punch in that string should they try to emulate some request?
I also found that when configuring vault_aws_auth_backend_role in terraform that I had to not provide
iam_server_id_header_value = "vault.service.consul"
…or login via a IAM role auth method would not work.
So what would be considered a secure best practice example of this and why is it used? Is there anyway way of filling in the gaps that might help me grasp beyond what the documentation provides, and the significance / usage of this value?