Dynamic SSH Signing Policy

We are trying to create an SSH signing Role where the valid princpal is passed from OIDC. We have attempted a policy like this

“allow_user_certificates”: true,

“valid_principals”: “{{identity.entity.aliases.auth_oidc_8dc5e18f.name}}”,

“allowed_users”: “{{identity.entity.aliases.auth_oidc_8dc5e18f.name}}”,

“allowed_users_template”: true,

“allowed_extensions”: “”,

“default_extensions”: [


“permit-pty”: “”



“key_type”: “ca”,

“default_user”: “{{identity.entity.aliases.auth_oidc_8dc5e18f.name}}”,

“ttl”: “480m0s”


However it is literally passing the value {{identity.entity.aliases.auth_oidc_8dc5e18f.name}} into the policy. We have also tried it without quotes then it complains about the format.

You have not specified default_user_template. Also, you have specified valid_principals despite it not being a valid parameter for SSH roles.

Thanks so much for the response. I was able to update the role and everything started working