5844 AWS Root Credential Rotation

[Valarissa]

This is to re-introduce the changes found in #7131

Output of a live run:

~/hashicorp/vault (5844-aws-root-cred-rotation ✔) ᐅ vault secrets enable aws
Success! Enabled the aws secrets engine at: aws/

~/hashicorp/vault (5844-aws-root-cred-rotation ✔) ᐅ vault write aws/config/root \
access_key=`echo $AWS_ACCESS_KEY_ID` \
secret_key=`echo $AWS_SECRET_ACCESS_KEY` \
region=us-east-2
Success! Data written to: aws/config/root

~/hashicorp/vault (5844-aws-root-cred-rotation ✔) ᐅ vault write aws/roles/test-role \
credential_type=iam_user \
policy_document=-<<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:*",
      "Resource": "*"
    }
  ]
}
EOF
Success! Data written to: aws/roles/test-role

~/hashicorp/vault (5844-aws-root-cred-rotation ✔) ᐅ vault read aws/creds/test-role
Key                Value
---                -----
lease_id           aws/creds/test-role/rLU3oLqyBQbAZgtg00hMLnOx
lease_duration     768h
lease_renewable    true
access_key         AKIA****************
secret_key         Q********************************1
security_token     <nil>

~/hashicorp/vault (5844-aws-root-cred-rotation ✔) ᐅ vault write -force aws/config/rotate-root
Key           Value
---           -----
access_key    AKIA****************

~/hashicorp/vault (5844-aws-root-cred-rotation ✔) ᐅ vault read aws/config/root
Key             Value
---             -----
access_key      AKIA****************
iam_endpoint    n/a
max_retries     -1
region          us-east-2
sts_endpoint    n/a

~/hashicorp/vault (5844-aws-root-cred-rotation ✔) ᐅ vault read aws/creds/test-role
Key                Value
---                -----
lease_id           aws/creds/test-role/HLYPlZeMo5L40idcX5c2J4mx
lease_duration     768h
lease_renewable    true
access_key         AKIA****************
secret_key         M********************************J
security_token     <nil>
~/hashicorp/vault (5844-aws-root-cred-rotation ✔) ᐅ vault write -force aws/config/rotate-root
Key           Value
---           -----
access_key    AKIA****************

[calvn]

Mostly did a diff scan since the original PR has been reviewed and approved.

[calvn]

Approved a bit too quick without looking at CI, but left some follow-up comments :)

[Valarissa]

Had to update the vendor files in order to get CI passing.

[tomhjp]

Generally LGTM. Given the endpoint in question, I don't think the race is likely to happen, but it also seems unnecessary to me. Perhaps I am just missing some context though.

[tomhjp]

Nit: Would Rotate Root Credentials be a slightly better title?

[Valarissa]

I copied all of the docs from a previous PR, unsure what others think about this.

[calvn]

The equivalent on AWS Secrets Engine refers this operation as "Rotate Root [IAM] Credentials", so I I think using that here as well is fine :)

[Valarissa]

Sounds good. Change to docs will be made after manual testing is finished 👍

[Valarissa]

Everything looks good, just pushed up a new commit to take care of this. :D

[tomhjp]

Wow TIL. I never thought about the need for this before.