Add custom metadata in the token

emas80 · January 30, 2020, 7:03pm

Hi, we are refactoring the current setup we have for Vault.

We are using the Kubernetes authentication, with some generic policies attached to the service account by using some generic roles. In our case, the Vault users would be Kubernetes Service Account.
We would like to restrict the permissions of the users, without creating one policy and one role for each user.

We would like to be able to generate one policy that can be re-used using the ACL templating capability.
We have setup the Kubernetes auth method and we are able to read the service account name and the namespace as metadata.

We can customise our policies up to a certain point using the metadata, as the service account name and the namespace are accessed as mount accessor metadata:

I would like to understand if it possible and how to specify extra metadata that can then be used, as mount accessor or user, it does not matter.

aarmstrong-figure · October 16, 2020, 5:57pm

@emas80 Were you ever able to find a solution or workaround for this? I am running into something similar and would like to create templated policies based on more metadata from the Kubernetes auth method than just the service_account_name and service_account_namespace.

dreamrdeceiver · January 9, 2023, 1:23pm

Hi custom metadata from service account is not possible. Vault will read only preconfigured metadata (uid, sa name, namespace, sa token) however custom metadata can be introduced by creating entities and aliases from SA guid or name.

Checkout this tutorial Recommended Pattern for Vault ACL Policy Path Templates | Vault | HashiCorp Developer