vault_aws_auth_python3

#!/usr/bin/env python

import boto3
import json
import base64

def headers_to_go_style(headers):
    retval = {}
    for k, v in headers.items():
        retval[k] = [v]
    return retval

def generate_vault_request(role_name=""):
    session = boto3.session.Session()
    # if you have credentials from non-default sources, call
    # session.set_credentials here, before calling session.create_client
    client = session.client('sts')
    endpoint = client._endpoint
    operation_model = client._service_model.operation_model('GetCallerIdentity')
    request_dict = client._convert_to_request_dict({}, operation_model)

    awsIamServerId = 'vault.example.com'
    request_dict['headers']['X-Vault-awsiam-Server-Id'] = awsIamServerId

    request = endpoint.create_request(request_dict, operation_model)
    # It's now signed...
    return {
        'iam_http_request_method': request.method,
        'iam_request_url':         base64.b64encode(request.url.encode('ascii')),
        'iam_request_body':        base64.b64encode(request.body.encode('ascii')),
        'iam_request_headers':     base64.b64encode(json.dumps(headers_to_go_style(dict(request.headers)))), # It's a CaseInsensitiveDict, which is not JSON-serializable        
        'role':                    role_name,
    }

if __name__ == "__main__":
    print(json.dumps(generate_vault_request('TestRole')))

b64encode needs it in byte format , so you need to encode it into that format from str, but then we need it back in str format so we need to later decode it. So we can overcome this problem by changing:
'iam_request_headers': base64.b64encode(json.dumps(headers_to_go_style(dict(request.headers)))),
to:
'iam_request_headers': base64.b64encode(json.dumps(headers_to_go_style(dict(request.headers))).encode()).decode(),