Vault creates second AWS access key with AWS Static Roles after rotation period expires

[ebarrett-Ocient]

Describe the bug When managing an AWS IAM user's credentials using static roles, if a single access key exists and the rotation period expires, Vault will create a second key rather than rotate the existing key. At a minimum, this conflicts with Vault documentation that reads:

At each rotation, Vault will rotate the oldest existing credential.

Ideally, we should be able to maintain a single key with Vault. We have security requirements that specify keys must be rotated after X days. Essentially, the configured rotation_period would need to be X/2 in order for us to meet this requirement. Otherwise, the oldest key will not be rotated until twice the configured rotation_period has passed.

To Reproduce Steps to reproduce the behavior:

1. Within the AWS console, create IAM user my-test-user. Ensure no access keys exist.
2. Run vault write aws/static-roles/test username=my-test-user rotation_period=300
3. Within the AWS console, verify a single access key for my-test-user has been created.
4. Wait five minutes. Within the AWS console, observe that there are now two access keys.

Expected behavior Only a single access key should exist.

Environment:

• Vault Server Version (retrieve with vault status): 1.16.1
• Vault CLI Version (retrieve with vault version): 1.15.4
• Server Operating System/Architecture: Ubuntu 22.04.3 LTS

[robmonte]

Hi @ebarrett-Ocient If I'm not forgetting, this is by design. From the documentation there is a note that reads Vault will create a new credential upon configuration, and if the maximum number of access keys already exist, Vault will rotate the oldest one. Vault must do this to know the credential.

The maximum number of keys for an IAM User is actually 2, so Vault's first creates a second key on the static account user. On the next rotation, it then does what you quoted by rotating the key of the oldest credential which will be your first one.

[ebarrett-Ocient]

@robmonte

I don't believe what I'm observing conflicts with the documentation. Per the documentation you quoted, upon configuration of a static role, Vault will rotate the oldest key upon configuration if it exists. In the scenario I'm describing, no IAM keys exist when the static role is configured so Vault creates one. Upon the expiration of the rotation period, rather than rotate the key it created, it creates a brand new one. Then, once the rotation period expires again, it rotates that original key.

If this is intentional, then I believe the documentation should be updated to better reflect this. Regardless of whether it's intentional or not, I believe it would be more valuable if Vault only ever maintained a single access key.

[robmonte]

@ebarrett-Ocient I think it is intentional, yeah. I believe the language is meant to imply "Vault will rotate the oldest access key only if the maximum number of keys already exist", meaning it will create new ones until the maximum is reached, whether starting with zero or one already.

I agree the wording on the documentation could make this more clear, thanks for the suggestion. I'll double-check my understanding with my team before committing to rewording that section.