AD engine rotation, service_account_name


Do you know why when you set a role on the AD engine with a service_account_name = myapp@my.domain you get a username=myapp (so without @my.domain) on the ‘creds’ request ?

It’s a problem, some applications need the @ part.

Thanks you

Active Directory is confusing… every account has two different “usernames”, the sAMAccountName and userPrincipalName LDAP attributes.

Because of this, people are used to addressing AD accounts in different ways.

The authors of the Vault AD secrets engine seem to have chosen to chop the @domain off the userPrincipalName before returning it in the creds read response - presumably to get closer to what people usually think of as a username… this seems like a bug to me - but it only affects people with more complex setups, which is probably why it has so far gone unfixed.

Thans you
It seems to be intentional (there is a comment in the code).
I opened an issue. I suggested to add an option to choose how the username is write.