Disallow/add to user-supplied principals


I’ve got a question regarding Vault’s SSH CA backend.

I have two groups of hosts, say groupA and groupB. I have distributed two principals to every host, the hostname (e.g. foo.example.com) and the host’s group (e.g. groupA). I want users to supply the hostname of the host(s) that they want access to, but not the group principal.

I was thinking of creating two roles, one for each group. I haven’t found any way to whitelist all user-supplied principals that describe hostnames (*.example.com), and append the group principal by hardcoding it to the role.

I’ve read SSH CA’s documentation and I can’t seem to find anything relevant to my usecase.
Maybe I can create the whitelist logic in the corresponding policy, but that doesn’t solve the fact that I want to append a default value to the user-supplied principals.