Dynamic ACLs With Vault

Hi All,

I have a team who creates API’s via Mulesoft for other teams to interact with Vault. They are planning to create AppRoles programmatically when deploying a new API - This appRole will be given to the app team who uses the new API and they will auth to Vault only to read an existing secret/s.

The challenge - I want to create a single policy which they can assign any AppRole and have it dynamically map to the secret path with the same name as the AppRole.

The issue I’m running into is, I am not sure how to dynamically map that… The AppRole creation does not allow for metadata to be supplied, but the entity which results from AppRole login does. So we could in theory create the approle, then edit the entity to apply metadata with the value we want, but that seems wrong… Or, my other thought would be to create a group per approle, assign metadata to that group, then apply the policy based on the group meta like:


This also seems cumbersome, I am wondering if there is another way to achieve this type of policy without the need for Sentinel.