Is 'role_tag' allowed for AWS inferred 'iam' authentication

[jan-polak]

According to the documentation, role_tag should be allowed also for inferred AWS 'iam' auth method

https://github.com/hashicorp/vault/blob/master/website/source/docs/auth/aws.html.md#dynamic-management-of-policies-via-role-tags

role_tag documentation specifies support for inferred AWS 'iam' auth method as well

role_tag - (Optional) If set, enable role tags for this role. The value set for this field should be the key of the tag on the EC2 instance. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.

But I cannot proceed with creating such role in Vault with error

• tried to enable role_tag when not using ec2 auth method

I tracked it down to the below 'if' check in code

https://github.com/hashicorp/vault/blob/1e0b6a0d88159847e71b5f61ca3579978ff22309/builtin/credential/aws/path_role.go#L791

Is this a bug or am I missing something obvious?

Thanks for feedback

[brikis98]

@Etiene Could you look into this?