Vault agent template: supplying map field to the ssh ca secret engine

Hi, hopefully I haven’t missed some documentation on some obvious place but I can’t seem to get this to work.

Vault Agent version: 1.15.4, Vault server version: 1.14.8

I’m trying to get vault agent to generatie my id_ed25519-cert.pub file. However, I need to specify the extensions field, which expects a map<string:string> and I can’t get the syntax right.

In my agent.hcl :

template {
  # secrets/ssh-ca-sign-admin/sign/admin-debian-user.json
  contents = <<EOF
{{- with secret "ssh-ca-sign-admin/sign/admin-debian-user.json"
                "public_key=ssh-ed25519 AAAAC3Nza ... A3v+/JRYm7j "
                "valid_principals=helpdesk,exploitatie"
                "extensions=permit-pty,permit-port-forwarding,permit-agent-forwarding"
}}
{{ .Data.signed_key }}
{{- end }}
EOF
  destination = "/home/peter-vanbiesen/creds.out"
  error_on_missing_key = true
}

I always get :

* Field validation failed: error converting input permit-pty for field "extensions": '' expected a map, got 'string' (retry attempt 5 after "4s")

I tried several syntaxes, to no avail, eg:

"extensions={ \"permit-pty\": \"\", \"permit-port-forwarding\": \"\", \"permit-agent-forwarding\": \"\" }"
"extensions=permit-pty,permit-port-forwarding,permit-agent-forwarding"

Is there a way to do this ?

Maybe this is related to this issue : SSH Map Fields · Issue #2569 · hashicorp/vault · GitHub