Group metadata in policy templates

I have vault setup with a working ldap backend. If i create an external group w/ alias I can assign metadata to it. I was hoping to be able to use that metadata in my policy templates for restricting access to a path, but the group metadata does not seem to be accessible.
I’m looking at and trying identity.entity.metadata. and identity.entity.aliases..metadata., but neither actually pass along the group metadata. My user is correctly associated with the external group, as any policy not relying on the metadata works fine. If I add the metadata to my user object, it works fine as well. What I really need a way of having the group metadata passed along automatically, or the ability to automatically take properties from my ldap user object (i.e. group membership), and add it in as metadata automatically in my vault entry so I can use that in policies. Any tips/pointers on how this might be doable are appreciated.

1 Like