Problem
When using the Vault AWS Secrets Engine to generate dynamic AWS credentials (IAM users with temporary access keys), user creation fails in AWS Organizations environments where Service Control Policies (SCPs) require specific tags to be present at resource creation time.
Although the Vault AWS role configuration includes tags, Vault appears to:
- Call CreateUser
- Call TagUser in a subsequent request
In environments with SCPs that deny IAM resource creation unless required tags are included in the create request, the initial CreateUser operation is denied before the tagging step can occur.
Expected Behavior
Vault should create IAM users with the configured tags included in the initial CreateUser request when possible, leveraging the AWS IAM CreateUser.Tags parameter.
This would allow Vault to operate in AWS Organizations environments that enforce mandatory tagging through SCPs.
Actual Behavior
Vault attempts to create the IAM user first and only applies tags afterward, resulting in an AWS authorization failure such as:
AccessDenied: User arn:aws:iam::123456789012:user/sre-vault-prod-admin-iam-user
is not authorized to perform: iam:CreateUser
Environment
- Vault version: 1.21.4 (version I run) and latest (tested for possible fix)
- AWS Secrets Engine
- AWS Organizations with SCPs enforcing tag-on-create requirements
- IAM user-based dynamic credentials
Reproduction Steps
- Configure an AWS Organization SCP that denies iam:CreateUser when required tags are missing.
- Configure a Vault AWS Secrets Engine role with user tags.
- Request dynamic credentials from Vault.
- Observe that the CreateUser operation is denied before tags are applied.
Possible Enhancement
If technically feasible, include configured user tags directly in the CreateUser API call instead of relying on a separate TagUser request. This would improve compatibility with AWS environments that enforce tag-on-create policies.
Problem
When using the Vault AWS Secrets Engine to generate dynamic AWS credentials (IAM users with temporary access keys), user creation fails in AWS Organizations environments where Service Control Policies (SCPs) require specific tags to be present at resource creation time.
Although the Vault AWS role configuration includes tags, Vault appears to:
In environments with SCPs that deny IAM resource creation unless required tags are included in the create request, the initial CreateUser operation is denied before the tagging step can occur.
Expected Behavior
Vault should create IAM users with the configured tags included in the initial CreateUser request when possible, leveraging the AWS IAM CreateUser.Tags parameter.
This would allow Vault to operate in AWS Organizations environments that enforce mandatory tagging through SCPs.
Actual Behavior
Vault attempts to create the IAM user first and only applies tags afterward, resulting in an AWS authorization failure such as:
Environment
Reproduction Steps
Possible Enhancement
If technically feasible, include configured user tags directly in the CreateUser API call instead of relying on a separate TagUser request. This would improve compatibility with AWS environments that enforce tag-on-create policies.