PKI templating using identity

Hi, so i have read through this question - where the solution/pre-condition is to add additional meta data. In my case though, I dont think i need any meta data. In my use case, I will be auth’ing using approle - and the common name of the issued cert can/should match the approle name.

Can anyone advice what the allowed_domains template for the role should be?? I have tried various combinations, but keep getting 400 / common name X not allowed by this role errors.

The below should work as an end-to-end script - using docker - to show the error. The pki_int.hcl file is also provided. Thanks!

set -o xtrace
# start vault
docker stop vault-demo-vault
docker rm vault-demo-vault
docker run --name vault-demo-vault -v ${location}/log:/var/log \
    --network dev-network -p 8200:8200 hashicorp/vault:1.14.8 \
    server -dev -dev-root-token-id="root" &

sleep 5

# setup pki
export VAULT_ADDR=http://localhost:8200
export VAULT_TOKEN=root

vault secrets disable pki_int
vault secrets enable -path=pki_int pki

vault write "pki_int/root/generate/internal" \
  common_name="Test CA" \

# setup pki role
vault write "pki_int/roles/example" \
  ttl=24h \
  allowed_domains={{identity.entity.alias.metadata.role_name}} \
  # tried   allowed_domains='{{}}' \
  # tried   allowed_domains='{{}}' \
  # tried   allowed_domains='{{identity.entity.metadata.role}}' \
  # tried   allowed_domains='{{identity.entity.alias.metadata.role}}' \
  # tried   allowed_domains='{{identity.entity.metadata.role_name}}' \
  # tried   allowed_domains='{{identity.entity.alias.metadata.role_name}}' \
  allowed_domains_template=true \

#create a new policy to create update revoke and list certificates
vault policy write pki_int pki_int.hcl

# create app role
vault auth enable approle

vault write auth/approle/role/my-damo-role \
    secret_id_ttl=10m \
    token_num_uses=10 \

APPROLE_ROLE_ID=$(vault read auth/approle/role/my-damo-role/role-id | awk '/role_id/ {print $2}')
APPROLE_SECRET_ID=$(vault write -f auth/approle/role/my-damo-role/secret-id | awk '$1 == "secret_id" {print $2}')


vault write auth/approle/login \
    role_id=${APPROLE_ROLE_ID} \
    secret_id=${APPROLE_SECRET_ID} | awk '$1 == "token" {print $2}' > approle.token

export VAULT_TOKEN=`cat approle.token`


vault write -format=json "pki_int/issue/example" \
  common_name=my-damo-role \
  > generated_example.cert.json


path "pki_int/issue/*" {
      capabilities = ["create", "update"]

    path "pki_int/certs" {
      capabilities = ["list"]

    path "pki_int/revoke" {
      capabilities = ["create", "update"]

    path "pki_int/tidy" {
      capabilities = ["create", "update"]

    path "pki/cert/ca" {
      capabilities = ["read"]

    path "auth/token/renew" {
      capabilities = ["update"]

    path "auth/token/renew-self" {
      capabilities = ["update"]


works… which i can get via:

ACCESSOR=$(vault auth list -format=json | jq -r '.["approle/"].accessor')

Not intuitive / well documented. Would be great to have these docs expanded. Also, if anyway can comment if my approach makes sense and/or why “simply” using identity.entity.metadata.role_name does not work.