This is probably a misunderstanding on my part, but it looks like the scheduled task to tidy up the AWS EC2 identity whitelist is not working in our installation of Vault.
For example we have this instance:
$ vault read auth/aws-ec2/identity-whitelist/i-0dedfb15
Key Value
--- -----
client_nonce dbJCFzfl/49x1Y8/zOI3j7/JfVjA6ojaASOPY5DczR8DV2PU
creation_time 2016-10-13T05:32:56.475421062Z
disallow_reauthentication false
expiration_time 2016-11-14T05:41:08.03198636Z
last_updated_time 2016-10-13T05:41:08.03198636Z
pending_time 2016-10-13T02:27:00Z
role vault-test
Which should be well expired and deleted by now if I'm understanding the code correctly.
If I manually invoke the tidy endpoint I either get:
$ vault write -f auth/aws-ec2/tidy/identity-whitelist
Error writing data to auth/aws-ec2/tidy/identity-whitelist: Error making API request.
Code: 500. Errors:
* 1 error occurred:
* identity whitelist tidy operation already running
Or I get nothing and then an a connection timeout:
$ vault write -f auth/aws-ec2/tidy/identity-whitelist
Any clues? We're using S3 as the physical backend (Consul for HA). My only guess at the moment is that the tidy task has so much to do now that it's taking to long and being terminated somehow.
Cheers,
Dan