IAM Users are ok 95% of the time, but for EKS access it must map to specific IAM Users, not dynamic usernames. So therefore the temp credentials from Vault needs to be added via further automation after Vault provisions the temp User. To work around this, EKS supports access via IAM Role. So dynamic users can sts:AssumeRole into this static Role. Vault supports this: https://developer.hashicorp.com/vault/docs/secrets/aws#sts-assumerole The command to get the STS creds is: `vault write <AWS_MOUNT>/sts/<IAM_ROLE>` The output is: ``` $ vault write aws-<censored>/sts/eks ttl=60m Key Value --- ----- lease_id aws-<censored>/sts/eks/MNA6pFNrOdZymYnbTLH0grgV lease_duration 59m59s lease_renewable false access_key <AWS_ACCESS_KEY_ID> arn <SOME_AWS_ARN> secret_key <AWS_SECRET_ACCESS_KEY> security_token <AWS_SESSION_TOKEN> ttl 59m59s ``` It would be great if this script can be adapted to also handle sts:AssumeRole mode of operation.