vault_aws_secret_backend_role fails on a role ARN

[jasonmcintosh]

URL: PUT https://myvault/v1/aws/roles/deploy
Code: 500. Errors:

• 1 error occurred:
• Either policy or arn must be provided

Vault version v0.9.3

[jasonmcintosh]

resource "vault_aws_secret_backend_role" "role" {
  backend = "aws"
  name    = "deploy"
  arn     = "${aws_iam_role.myrole.arn}"
}

[nickwales]

The documentation asks for policy_arn, but that doesn't work either e.g.

resource "vault_aws_secret_backend_role" "role" {
  backend     = "aws"
  name          = "deploy"
  policy_arn  = "${aws_iam_role.myrole.arn}"
}

FWIW, policy does work e.g.

resource "vault_aws_secret_backend_role" "role" {
  backend     = "aws"
  name          = "deploy"
  policy = <<EOT
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iam:*",
      "Resource": "*"
    }
  ]
}
EOT

https://www.terraform.io/docs/providers/vault/r/aws_secret_backend_role.html#policy_arn

[joelthompson]

Heads up that I'm working on redoing some of this. I'm discussing the new behavior in hashicorp/vault#4229 and have it maybe 60% code complete.

[jasonmcintosh]

Note, just hit this again... the backend doesn't support the API methods vault does:
https://www.vaultproject.io/docs/secrets/aws/index.html#sts-assumerole

[cvbarros]

I resolution to this is via #259

[whume]

@cvbarros Hello, I am running into this issue as well. Is there goign to be a resolution soon? Would be great to get role_arns added via terraform. Thanks!

[zxpower]

Issue is still valid...