I’ve been doing some experiments with tls cert authentication with vault and it occurs to me that there is a capability gap in how this is implemented. Which is that you can enroll a cert and mark which roles token generated from it will get. However that requires you to know the cert in advance. It seems like it would be a real expansion of flexibility if instead of the cert you could specify a subject (and optionally signed by a specific CA so you could bucket things based on who signed/created them) instead of the specific cert. That way you could define a subject>role mapping that could persist through a client having their certificates rotated on expiry and would allow for much fewer touches.
I had presumed that there would be some capability that works as described above, but I don’t actually see any evidence of it in the documentation.
Does that make sense to anyone besides me? Would anyone be interested in a PR to add such a feature?