Periodic token generated using AWS IAM auth is set to expire in 32 days

[shayangz]

According to the documentation, if a periodic token is generated by passing the optional period parameter to vault auth -method=aws, it should never expire as long as it's renewed on a timely manner.

When we create such tokens using a command like this

$vault write auth/aws/role/iam-role auth_type=iam inferred_entity_type=ec2_instance inferred_aws_region=<region> bound_iam_principal_arn=arn:aws:iam::<account-id>:role/<role-name> bound_iam_instance_profile_arn=arn:aws:iam::<account-id>:instance-profile/<path> policies=dev bound_vpc_id=<vpc-id> period=6h
$vault auth -method=aws header_value=<header> role=iam-role

If we look up the token, vault says that it will expire in 32 days which is unexpected.

$ ./vault token-lookup
Key              	Value
---              	-----
accessor         	<guid>
creation_time    	<ts>
creation_ttl     	21600
display_name     	<name>
expire_time      	2017-07-09T01:34:10.457705525Z
explicit_max_ttl 	0
id               	<guid>
issue_time       	2017-06-07T01:34:10.457702106Z
last_renewal     	2017-06-07T01:43:37.827921018Z
last_renewal_time	1496799817
meta             	map[inferred_entity_type:ec2_instance account_id:<account-id> auth_type:iam canonical_arn:arn:aws:iam::<account-id>:role/mesos-slave client_arn:arn:aws:sts::<account-id>:assumed-role/<role-name>/<instance-id> inferred_aws_region:<region> inferred_entity_id:<instance-id>]
num_uses         	0
orphan           	true
path             	auth/aws/login
policies         	[default dev]
renewable        	true
ttl              	2764225

[jefferai]

It looks like this didn't get added for the new IAM type. This will be fixed in the next release.