terraform vault role workaround

main.tf

terraform {
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = "3.8.2"
    }
  }
}
# delay token creation
resource "time_sleep" "test" {
  create_duration = "5s"
}
# Get the token
data "external" "aws_vault_token" {
  depends_on = [time_sleep.test]
  program    = ["bash", "./vault-aws.sh", "arn:aws:iam::xxxxxxxx:role/xxxxxxxxx", "xxxxxxxxxxx"]
}
# intialiase provider (VAULT_ADDR defined in env)
provider "vault" {
  token            = data.external.aws_vault_token.result.token
  skip_child_token = true
}
# test by setting a secret
resource "vault_kv_secret" "secret" {
  path      = "mykvengine/data/mysecret"
  data_json = jsonencode({data = {
    test = "top",
    foo = "bar"
  }})
}

vault-aws.sh

AWS_ROLE="$1"
VAULT_ROLE="$2"

echo "Attempting AWS Assume Role for $AWS_ROLE" >&2
aws sts assume-role --role-arn "$AWS_ROLE" \
  --role-session-name vaultSession \
  --duration-seconds 3600 \
  --output=json \
  > ./creds
export AWS_ACCESS_KEY_ID=`jq -r '.Credentials.AccessKeyId' ./creds`
export AWS_SECRET_ACCESS_KEY=`jq -r '.Credentials.SecretAccessKey' ./creds`
export AWS_SESSION_TOKEN=`jq -r '.Credentials.SessionToken' ./creds`
export AWS_EXPIRATION=`jq -r '.Credentials.Expiration' ./creds`
rm ./creds
vault login -method=aws role=$VAULT_ROLE -format=json \
  | jq '{ token: .auth.client_token }'