Adding a Target instance IP in vault Role for SSH -CA

I am using Hashicorp Vault OSS - 1.4.3.

I was able to install it successfully, However I do have one problem now.

I was able to restrict the source IP address via role for an user to authenticate to vault , retrieve keys and then to access the target machine(has the vault CA keys)

However, I am unable to find a way to add a target IP address in the role for an user. Even if the user has retrieved a key from vault, he should be restricted access to the target server(even if the user is created on that server). Is there any mechanism for that ?