Question:

"The MSSQL plugin supports databases running on  AWS RDS, but there are differences that need to be accommodated. A key limitation is that Amazon RDS doesn't support the "sysadmin" role, which is used by default during Vault's revocation process for MSSQL"

Answer:     This does come across as confusing . Firstly - the Hashicorp revocation process is not an issue if the vaultuser i.e the login used by Hashicorp to connect to the SQL Server has sysadmin role.

But as noted AWS Rds Sql Server by default  does not allow sysadmin for any  user logins. If you attempt to create a login with sysadmin privileges a message will appear

Msg 15151, Level 16, State 1, Line 20
Cannot alter the server role 'sysadmin', because it does not exist or you do not have permission.

A  Hashicorp workaround is required - which basically means - create a  a role with custom revoke statements:

vault write database/roles/my-role revocation_statements="\
USE my_database; \
IF EXISTS \
(SELECT name \
FROM sys.database_principals \
WHERE name = N'{{name}}') \
BEGIN \
DROP USER [{{name}}] \
END \

IF EXISTS \
(SELECT name \
FROM master.sys.server_principals \
WHERE name = N'{{name}}') \
BEGIN \
DROP LOGIN [{{name}}] \
END"

This will work if you are using a root vault account that does not have sysadmin privileges.