Add pki/issue_by_cn/<cn> endpoint

[mattmb]

Is your feature request related to a problem? Please describe.
I was disappointed to find that the pki/issue/<role> endpoint leaves me with no way to restrict the domain (CN) of the cert to the user's name. The use case is to use vault to issue user certificates and to only allow issuing certificates with the user's name in the CN. I can kinda achieve this by creating 1 role per user programmatically and then creating a policy that only allows pki/issue/{{identity.entity.aliases.<auth_backend>.name}}. However this is tedious because I must create roles automatically when users are added i.e. sync LDAP or whatever with the roles in Vault.

Describe the solution you'd like
How about we add pki/issue_by_cn/<cn> which takes role in the body. This could then be restricted with a policy like pki/issue_by_cn/{{identity.entity.aliases.<auth_backend>.name}} and I would only need 1 role for all my users. This would just be an additional endpoint, not suggesting we change the existing ones.

Describe alternatives you've considered
Templating the parameters has been considered in #6558 and more generally doesn't seem to be in the plans.
#4157 considers checking token metadata.

Additional context
I think issuing client certs that have a CN matching the username with the PKI backend is an obvious use case and the above issues + https://groups.google.com/forum/#!topic/vault-tool/88CRNUIEG8Y show other people have wanted this.

[qk4l]

It's really strange that there are no restrictions based CN in one pki role.
Pki role is more fundamental and it's nasty to create role per each host if we need a certificate per host based their FQDN.

I see that controlling CN through policies, which supports templates, is more suitable than add templates to pki role - #7216

[fcomte]

Hello,

I have this use case too 👍

I was trying :

path "pki/issue/server" { capabilities = ["create"] allowed_parameters = { "common_name" = ["{{identity.entity.aliases.auth_jwt_2ba4da2e.name}}.domaine.name" ] "*" = [] } }

It seems that templating is not working on fine grained access control... ?

[jefferai]

Templating in policies is only supported in policy paths, at least for now.

[mattmb]

@jefferai what do you think about my suggested solution? Would you be happy to accept a PR to add an endpoint as described? If so I could probably work on it or find someone on my team to work on it.

[carnei-ro]

Same scenario here.

[nvx]

Any update on this or #6558 / #7216? I feel like just limiting it to CN would be too restrictive so to me extending the templating to support the allowed/required parameters options seems like a more general solution but those seem stalled?

[mattmb]

I think #8509 might solve the problem?

[qk4l]

@mattmb Yes, you are right, check also #9498 which improve that solution.

[HridoyRoy]

Hi folks,
Is this issue good to close, given #8509 and #9498 have been merged?
Thanks!

[sgmiller]

Agreed, closing for now. Please reopen if those features do not solve your problem.