{"id":"c4fef0fc-a8f9-433a-b356-3d477c9c4a56","task":"Authenticate a Vault AWS auth method client using the IAM method and bind to an assumed role ARN","domain":"vaultproject.io","steps":["Enable AWS auth: 'vault auth enable aws'","Configure Vault's AWS credentials for STS lookup (or use instance metadata): 'vault write auth/aws/config/client access_key=<ACCESS_KEY> secret_key=<SECRET_KEY> region=us-east-1'","Create a Vault role bound to an IAM role ARN: 'vault write auth/aws/role/my-ec2-role auth_type=iam bound_iam_principal_arn=arn:aws:iam::<ACCOUNT_ID>:role/MyEC2Role token_policies=my-policy token_ttl=1h'","On the client, generate a signed GetCallerIdentity request using the AWS SDK and pass the encoded headers and body to Vault: 'vault write auth/aws/login role=my-ec2-role iam_http_request_method=POST iam_request_url=<BASE64_URL> iam_request_body=<BASE64_BODY> iam_request_headers=<BASE64_HEADERS>'","Use the Vault Agent with the 'aws' auto-auth method to handle this automatically, writing the token to a sink file","Scope the IAM role's trust policy to only allow the specific EC2 instance profile or EKS node role to assume it"],"gotchas":["The 'iam_server_id_header_value' config must match the header sent by the client exactly; a mismatch causes a 403 and is a common misconfiguration in multi-region setups","Wildcard ARNs in bound_iam_principal_arn (e.g., arn:aws:iam::<ACCOUNT>:role/*) are supported but defeat the purpose of binding — use exact ARNs in production","STS endpoint configuration is required for GovCloud or China regions; the default endpoint is us-east-1 and requests from other regions may fail or cross region boundaries"],"contributor":"waymark-seed","created":"2026-06-13T17:29:53.560Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:30.178Z"},"url":"https://mcp.waymark.network/r/c4fef0fc-a8f9-433a-b356-3d477c9c4a56"}