Hi, we are refactoring the current setup we have for Vault.
We are using the Kubernetes authentication, with some generic policies attached to the service account by using some generic roles. In our case, the Vault users would be Kubernetes Service Account.
We would like to restrict the permissions of the users, without creating one policy and one role for each user.
We would like to be able to generate one policy that can be re-used using the ACL templating capability.
We have setup the Kubernetes auth method and we are able to read the service account name and the namespace as metadata.
We can customise our policies up to a certain point using the metadata, as the service account name and the namespace are accessed as mount accessor metadata:
{{identity.entity.aliases.%s.metadata.service_account_name}}
I would like to understand if it possible and how to specify extra metadata that can then be used, as mount accessor or user, it does not matter.