I am designing a Vault solution where each VM receives a token that includes two separate templated policies: customer-specific data stored in Consul KV and protected via Consul ACL. The first policy grants access to tenant-specific VM data stored in Consul KV.
The other policy allows this VM to renew the Consul cluster ACL token.
Each customer has distinct metadata parameters (tenant-specific parameters for the first policy, datacenter-specific parameters for the second policy). These metadata parameters do not overlap.
My initial approach is to use a separate identity entity with corresponding aliases, storing metadata for both policies within the entity’s metadata. However, this might significantly increase the number of identities.
Is there a recommended way or best practice to reduce the number of identities needed in such a scenario, while still allowing me to utilize metadata-driven templating in policies?
What is the purpose of Vault in this solution? Unless I am misunderstanding, why not just auth directly to Consul? Or are you using Consul as your Vault storage backend?
I am using Vault to store and access secrets and for consul