## The AWS Auth Engine Users of the AWS Auth Engine may notice less metadata in their audit logs and associated with the aliases generated by logging in. This is because we corrected a regression where more metadata had been added by default, causing a performance impact for some users at scale. Now, in the `/auth/aws/config/identity` endpoint, we have added the following fields: - `iam_metadata` `(string: "default")` - The metadata to include on the token returned by the `login` endpoint. This metadata will be added to both audit logs, and on the `iam_alias`. By default, it includes `account_id` and `auth_type`. Additionally, `canonical_arn`, `client_arn`, `client_user_id`, `inferred_aws_region`, `inferred_entity_id`, and `inferred_entity_type` are available. To include no metadata, set to `""` via the CLI or `[]` via the API. To use only particular fields, select the explicit fields. To restore to defaults, send only a field of `default`. **Only select fields that will have a low rate of change** for your `iam_alias` because each change triggers a storage write and can have a performance impact at scale. - `ec2_metadata` `(string: "default")` - The metadata to include on the token returned by the `login` endpoint. This metadata will be added to both audit logs, and on the `ec2_alias`. By default, it includes `account_id` and `auth_type`. Additionally, `ami_id`, `instance_id`, and `region`, are available. To include no metadata, set to `""` via the CLI or `[]` via the API. To use only particular fields, select the explicit fields. To restore to defaults, send only a field of `default`. **Only select fields that will have a low rate of change** for your `ec2_alias` because each change triggers a storage write and can have a performance impact at scale. At the `/auth/aws/config/identity` endpoint, if the `iam_alias` and `ec2_alias` are unset, the `role_id` used for login is the default alias used for auth metadata. Thus, the defaults selected for the `iam_metadata` and `ec2_metadata` are fields that would have a low rate of change for _those_ aliases. This was selected because it will cover _most_ use cases. However, the AWS Auth Engine has many use cases, so please do configure the aliases and metadata that makes sense for your organization.