Figured this wouldn't be a bad place to ask even though it's only tangentially related to Terraform.

At work, we've been using Hashicorp Vault to issue temporary credentials in AWS and Azure. It's your typical setup where each TF workspace authenticates to Vault, requests credentials for AWS, so Vault goes to AWS STS, tells it against which IAM role to assign credentials, then returns the credentials, and then TF does its thing.

Same idea in Azure and soon GCP.

Outside of work and for my personal experiments, I've been using GitHub Actions with an OIDC provider I configured in my AWS account, and whenever the Actions workflow runs, it just does what Vault does for us at work, i.e. go to AWS STS to obtain AWS credentials.

To me the result is the same as with Vault, in that Terraform is given credentials that exist only in memory in a secure environment, are never revealed in plain text, and are revoked after 1 hour.

What benefit -- if any -- does Hashicorp Vault provide in this setup? I'm not seeing any but let me know if I'm missing anything.

I am aware that Vault does a bunch of other things and I'm not questioning its value for those other applications, but that's not what I'm asking. I'm just wondering if we could conceivably cut Vault out of the credentialing process in our IaC workflow without losing functionality.