Support for service identities in Consul secrets engine

Hi all,
I’m experimenting with having Vault generate Consul ACL tokens. For example, if I have a policy in Consul called “consul-p1”, I can use the following commands to configure the Consul secrets engine:

vault secrets enable consul
vault write consul/config/access address= token=<consul mgmt token>
vault write consul/roles/service-acls policies=consul-p1

A read on the service-acls role returns a Consul token as expected. However, I’m currently creating most of my Consul auth tokens using service identities instead of explicit policies. Is there any way to configure Vault to issue tokens against a service identity instead of a policy?

I can’t find anything in the Consul secrets engine docs, and when I look through the output of various consul acl list commands, I don’t see an explicit policy associated with the service identity either.