Pre-populate SSH CA fields in Vault UI?

I’m using SSH CA from CLI and its working great, the users don’t really need to know anything of the vault internals just run some oneliner to sign their public key.

But I want them to use the vault web UI for some scenarios and I am enforcing some values in their role such as:

“valid_principals” = [“bofh”],
“allowed_users” = [“bofh”],

“allowed_critical_options” = " ",
“default_critical_options” = {
“source-adress” = “1.2.3.0/24”
}

This is totally transparent as long as they run:
vault write -field=signed_key someca/sign/ssh_sign public_key=@public.pub > public-cert.pub

When a user is going to sign their public ssh key with my CA in the web UI they need to enter lots of information manually into the web forms in the vault UI otherwise Vault UI will just think that you provide empty data for enforced options etc.

Is there a way around this?
Like having vault pre-populating “valid principal” field and “Critical options” based on whats in the role.

If I don’t enter this info into the fields it’ll just throw this error:

"Error: 1 error occurred: * permission denied "

Some interesting find here.

if I login with root token, go to the ssh ca path and only insert my public key and press “sign” it all works and I get my signed public key with all my enforced default values.

But as a normal user via the UI this gives “permission denied” instead. Can’t figure out that the UI wants that the cli tool doesn’t…

I’m becoming really good solving problems with myself in public forums.

The issue here was probably that the UI didn’t assign the correct role automatically, this was done when signing in via the cli using “role=” hehe…

allowed_redirect_uris=“blabla/ui/vault/auth/oidc/oidc/callback,http://localhost:8250/oidc/callback”
groups_claim=“groups”
policies=“blarghpolicy” ← set this correctly!