Dynamic group membership based on entity metadata

Hi, i’m implementing ssh key signing as per Using Vault as an SSH certificate authority | by Brian Candler | Medium. i have a specific Policy called ssh-user and i’ve assigned it to a ssh-user Group to enable this.

Rather than manually adding each and every user to the ssh-user Group, is it possible to have vault dynamically populate the group based on whether the users Entity has a (say) ssh_username metadata key.


AFAIK not automatically but you can write something to do that as a one-off.