Support for Identity Integration

[ikraemer-dd]

Preflight Checklist

• I have searched the issue tracker for an issue that matches the one I want to file, without success.
• I agree to follow the Code of Conduct.

Problem Description

I would like to configure Identity Integration for AWS. Here is the way to do so using the vault cli:

PLUGIN_PATH="aws-iam"
vault write auth/$PLUGIN_PATH/config/identity iam_metadata=inferred_entity_id 

The Vault doc explaining the details is here: https://developer.hashicorp.com/vault/api-docs/auth/aws#configure-identity-integration.

Metadata can be used e.g. for templated policies, hence leveraging the full potential of Vault. However, only default metadata are usable by default: the configuration highlighted above is a mean to make other available.

Proposed Solution

Update the addAdditionalAuthConfig function, and add the parsing of a new configuration in case of an aws auth configuration here.

Alternatives Considered

I asked in bank vaults slack channel about this https://outshift.slack.com/archives/CFJJW9L94/p1709145005160549 and got this idea:

I believe it's possible to set it up using configure command and a custom vault config file. However, we don't have any other custom integration or cases where we use this at the moment. If this is not sufficient, feel free to create a feature request in the BV repo and we will check it. Hope this helps!

I had a closer look at the configuration options that Vault accepts in a configuration file (see here for the official doc): Identity Integration cannot be configured that way.

Additional Information

No response