AWS Auth Backend rotate-root not working

[danieldethloff1993]

Describe the bug
AWS Auth Backend rotate-root does not work, when previously configured the backend with static access_key and secret_key, the aws credentails were rotated but the new access_key and secret_key were not injected in the aws auth backend config.

To Reproduce
Steps to reproduce the behavior:

1. Run vault auth enable aws
2. Run vault write /auth/aws/config/client access_key=XXXXXXXXXXXXX secret_key=yyyyyyyyyyyyyyyy
3. Run vault read auth/aws/config/client and notice the previously added access_key matches
4. Run vault write -force /auth/aws/config/rotate-root and take a look to the access_key in the output
5. Run vault read auth/aws/config/client and notice the access_key from rotate-root output doesn't match

Expected behavior
The Output from vault write -force /auth/aws/config/rotate-root and the access_key from vault read auth/aws/config/client after the rotation should match.

Environment:

• Vault Server Version 1.7.2 (also tested 1.8.0)
• Vault CLI Version 1.7.2 (also tested 1.8.0)
• Server Operating System/Architecture: CentOS 7.9.2009
• Client CLI OS: Ubuntu 18.04. Windows WSL

Vault server configuration file(s):

{
  "backend":
    {
     "consul":
       {
        "address":"<some-ip>:8500",
        "advertise_addr":"http://<server-ip>:8200",
        "path":"vault/"
       }
    },
  "listener":
    {
     "tcp":
      {
        "address":"0.0.0.0:8200",
        "tls_cert_file":"/vault/file/<cert.file>",
        "tls_key_file": "/vault/file/<key.file>",
      }
    },
    "ui": true,
    "telemetry": {
        "statsd_address": "<statsd_address>:<statsd-port>"
    }
}

[danieldethloff1993]

Does nobody have an idea?

[soeirosantos]

+1 I'm having the same problem here and the odd behavior is easily reproducible.

[hsimon-hashicorp]

Hi folks! I've raised this with our engineering team, please hang tight while we review it. Appreciate your patience. :)

[Zlaticanin]

Fixed with #12715 .