TLS Certificate auth method, and policy templates referring to OID extensions

So I’m trying to use the cert auth method and assign a policy to clients that authenticate with it. All of the valid certs I want to work should have a specific required_extension, and I would like to have access to those extensions to insert into a policy.

I know there are are metadata attributes available in identity.entity.aliases.<mount accessor>.metadata.<metadata key> But there doesn’t appear to be any other data populated into the entities created from my TLS cert auth.

Is there a general approach for this that I am missing?

Those extensions are not currently populated into metadata. But you also can’t put metadata into a policy. What are you trying to do?

Using certs that are generate and signed by a puppet server’s CA with the PP_ENVIRONMENT (oid: 1.3.6.1.4.1.34380.1.1.12) extension embedded.

After authenticating with a valid cert I want to only allow it to read from a specific kv backend path. Something like this (Replace {{environment}} with the PP_ENVIRONMENT value embedded in the cert):

#Access to certname specific data
path "secret/puppet/{{environment}}/certname/{{identity.entity.aliases.<mount accessor>.name}}/*" {
    capabilities = [ "read", "list" ]
}
#Access to environment specific data
path "secret/puppet/{{environment}}/environment/*" {
    capabilities = [ "read" ]
}
#Access to general data
path "secret/puppet/common/*" {
    capabilities = [ "read" ]
}

According to: https://www.vaultproject.io/docs/concepts/policies/ metadata should be available in policy templates:

identity.entity.aliases.<mount accessor>.metadata.<metadata key> Metadata associated with the alias for the given mount and metadata key

What’s available there is what the auth method actually writes into metadata; I do not believe the contents of OID extensions is one of those values. It potentially could be – you could propose a PR on the issue tracker and see if that change would be accepted.