Policy templates for approles

I have a number of different microservices, each with that fall under an environment and app name. There are over 10 combinations at the moment, and that number will be growing. I’d like to write simple policies to for them to access their own secrets. The policy would look something as follows:

path "secret/{{identity.entity.metadata.environment}}/services/common/*" {
  capabilities = ["read"]
}

path "secret/{{identity.entity.metadata.environment}}/services/{{identity.entity.metadata.service}}/*" {
  capabilities = ["read"]
}
  • Because services are really machines, approle authentication seems most appropriate.
  • Policy templating seems to support reading metadata from identity.entity.metadata, however, I’ve not been able successfully create an alias for entity from an approle (userpass is fine as in the example).
  • approle does not seem to support metadata and policy templating does not seem to expose any access to approle data anyway.

Is this a shortcoming of Vault as of now? Should I just use userpass for the timebeing?