Private DNS name of AWS EC2 instance cannot be used for templated policies

[ikraemer-dd]

Is your feature request related to a problem? Please describe.
I use the IAM AWS auth method from EC2 instances to generate TLS certificates. I’d like to be able to force that the common name of the issued certificate is the private DNS of the requesting instance (ip-10-x-x-x.ec2.internal). This guarantees that the identity of the EC2 instance, as presented in the TLS certificate, is trustworthy.

Describe the solution you'd like
I think templated policies are a way to do this.

Today, with Identity Integration, it’s already possible to leverage templated policies to control that the common name is “<auth_metadata>”, where <auth_metadata> is one of account_id, auth_type, canonical_arn, client_arn, client_user_id, inferred_aws_region, inferred_entity_id, inferred_entity_type (see error message for vault write auth/aws/config/identity iam_metadata=xxx).

Adding a new type of authentication metadata in Vault entities and populating it with the instance private DNS (which are already retrieved in the validateInstance method) would solve this problem.

Explain any additional use-cases
This can also be used to restrict access to Vault's secrets based on the EC2's private DNS name, more generically.

[kpcraig]

I think we can close this as resolved due to the PR merging?