AWS EC2 Identity Whitelist Tidy Not Working?

[Dan Everton]

This is probably a misunderstanding on my part, but it looks like the scheduled task to tidy up the AWS EC2 identity whitelist is not working in our installation of Vault.

For example we have this instance:

$ vault read auth/aws-ec2/identity-whitelist/i-0dedfb15

Key                       Value

---                       -----

client_nonce             dbJCFzfl/49x1Y8/zOI3j7/JfVjA6ojaASOPY5DczR8DV2PU

creation_time             2016-10-13T05:32:56.475421062Z

disallow_reauthentication false

expiration_time           2016-11-14T05:41:08.03198636Z

last_updated_time         2016-10-13T05:41:08.03198636Z

pending_time             2016-10-13T02:27:00Z

role                     vault-test

Which should be well expired and deleted by now if I'm understanding the code correctly.

If I manually invoke the tidy endpoint I either get:

$ vault write -f auth/aws-ec2/tidy/identity-whitelist

Error writing data to auth/aws-ec2/tidy/identity-whitelist: Error making API request.

URL: PUT https://vault.example.com:8200/v1/auth/aws-ec2/tidy/identity-whitelist

Code: 500. Errors:

* 1 error occurred:

* identity whitelist tidy operation already running

Or I get nothing and then an a connection timeout:

$ vault write -f auth/aws-ec2/tidy/identity-whitelist

Error writing data to auth/aws-ec2/tidy/identity-whitelist: Put https://vault.example.com:8200/v1/auth/aws-ec2/tidy/identity-whitelist: net/http: request canceled (Client.Timeout exceeded while awaiting headers)

Any clues? We're using S3 as the physical backend (Consul for HA). My only guess at the moment is that the tidy task has so much to do now that it's taking to long and being terminated somehow.

Cheers,

Dan