Skip to content

AWS Secrets Engine IAM user creation fails with tag-enforcing SCPs because tags are applied after CreateUser #32001

Description

@cgarcia576

Problem

When using the Vault AWS Secrets Engine to generate dynamic AWS credentials (IAM users with temporary access keys), user creation fails in AWS Organizations environments where Service Control Policies (SCPs) require specific tags to be present at resource creation time.

Although the Vault AWS role configuration includes tags, Vault appears to:

  1. Call CreateUser
  2. Call TagUser in a subsequent request

In environments with SCPs that deny IAM resource creation unless required tags are included in the create request, the initial CreateUser operation is denied before the tagging step can occur.

Expected Behavior

Vault should create IAM users with the configured tags included in the initial CreateUser request when possible, leveraging the AWS IAM CreateUser.Tags parameter.

This would allow Vault to operate in AWS Organizations environments that enforce mandatory tagging through SCPs.

Actual Behavior

Vault attempts to create the IAM user first and only applies tags afterward, resulting in an AWS authorization failure such as:

AccessDenied: User arn:aws:iam::123456789012:user/sre-vault-prod-admin-iam-user
is not authorized to perform: iam:CreateUser

Environment

  • Vault version: 1.21.4 (version I run) and latest (tested for possible fix)
  • AWS Secrets Engine
  • AWS Organizations with SCPs enforcing tag-on-create requirements
  • IAM user-based dynamic credentials

Reproduction Steps

  1. Configure an AWS Organization SCP that denies iam:CreateUser when required tags are missing.
  2. Configure a Vault AWS Secrets Engine role with user tags.
  3. Request dynamic credentials from Vault.
  4. Observe that the CreateUser operation is denied before tags are applied.

Possible Enhancement

If technically feasible, include configured user tags directly in the CreateUser API call instead of relying on a separate TagUser request. This would improve compatibility with AWS environments that enforce tag-on-create policies.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions