[Issue / Question] Is the role missing metadata alias entity ?

[ylorenzati]

Hi folks,

TLDR: Is the role missing from entity alias metadata or is this some documentation issue ?

I was following this documentation about acl policy templating and k8s auth. It say:

For the Kubernetes Authentication method, the available metadata keys can be found in the Login endpoint API Sample Response.

When I look at this sample response from here

"metadata": {      "role": "test",      "service_account_name": "vault-auth",      "service_account_namespace": "default",      "service_account_secret_name": "vault-auth-token-pd21c",      "service_account_uid": "aa9aa8ff-98d0-11e7-9bb7-0800276d99bf"    },

I see role should be available in the template but It did not work.

When I take a look in the code

auth := &logical.Auth{
		Alias: &logical.Alias{
			Name: serviceAccount.uid(),
			Metadata: map[string]string{
				"service_account_uid":         serviceAccount.uid(),
				"service_account_name":        serviceAccount.name(),
				"service_account_namespace":   serviceAccount.namespace(),
				"service_account_secret_name": serviceAccount.SecretName,
			},
		},
		InternalData: map[string]interface{}{
			"role": roleName,
		},
		Metadata: map[string]string{
			"service_account_uid":         serviceAccount.uid(),
			"service_account_name":        serviceAccount.name(),
			"service_account_namespace":   serviceAccount.namespace(),
			"service_account_secret_name": serviceAccount.SecretName,
			"role":                        roleName,
		},
		DisplayName: fmt.Sprintf("%s-%s", serviceAccount.namespace(), serviceAccount.name()),
	}

I see the role is in the entity metadata but not in entities alias one. From what I understand we can only use entities alias for ACL templating (I tried to use directly metadata entities but failed to use them).

So here is my question : Is this a bad documentation issue or should we add the role in metadata entity or am I missing something else ?

Thanks in advance for your help / explanation :)

[tomhjp]

Hi 👋 thanks for including all the detail and links.

I see role should be available in the template but It did not work.

What's the key you used here, and what was the error? I haven't tested this recently, but I believe the role should be accessible via identity.entity.metadata.<metadata key>, i.e. identity.entity.metadata.role.

[ylorenzati]

👋
identity.entity.metadata is empty for k8s resources
But identity.entity.aliases is not
It contains: "service_account_uid", "service_account_name", "service_account_namespace","service_account_secret_name".
but not the role, basically my question is why not the role ?

[tomhjp]

There's no strong reason AFAICT to exclude role from alias metadata. We can add that.

As for identity.entity.metadata being null, it turns out I misunderstood and that's actually behaving as expected.

[ylorenzati]

There's no strong reason AFAICT to exclude role from alias metadata. We can add that.
So can I make a PR or do prefer to handle that yourself?