PKI: In a role, how can I set/add certain cert fields as part of the issuance?

We are using the PKI engine in Vault, and would be interested in having our roles forcibly add or set certain parameters (in particular common_name and SANs in this case).

Ideally, we would have the requesting app simply ask to issue a certain role and have Vault issue a Cert with certain pre-defined values. To the best of my ability, I’ve been unable to figure out how to make that work. The pki’s role configuration doesn’t seem to have a setting like “override/set common name to X” or “add SANS x, y, and z to the cert”.

Right now the requestor seems to have to know what policies they must request to get a valid cert to issue, and it’s not exhaustive. (The request be missing certain important SANs and not realize it).

A developer requests for a cert from a role without any parameters.
The PKI role sets the common_name as the identity’s email address.
The PKI role sets SANs for the and some additional special app-specific values (think SPIFFE) entries.

Developer receives a fully-specified cert with out having to know or replicate all the special values the role specifies.