[FEATURE REQUEST] Vault: Issue identities to minions

[lkubb]

Is your feature request related to a problem? Please describe.
Managing Vault token policies and secrets for minions is insecure or cumbersome. To securely assign ACL policies to issued tokens, respecting the principle of least privilege, one needs to create a separate policy for each minion. This can also lead to secret duplication once several minions need access to the same data (~ minion roles).

Describe the solution you'd like
Salt should issue AppRoles to minions, which are bound to an identity. It should write metadata to the associated entity, which can then be used to template ACL policies on the Vault side, reducing the need for boilerplate policies (and data duplication) a lot:

# salt-minion.hcl
path "salt/data/minions/{{identity.entity.metadata.minion-id}}" {
    capabilities = ["read", "create", "update", "delete", "patch"]
}

path "salt/data/roles/{{identity.entity.metadata.role}}" {
    capabilities = ["read"]
}

Note that Vault does not allow arrays for metadata, hence minions can only have a single role in this scenario.

Describe alternatives you've considered

• Allow pillar values in token policy templates, which tackles the secret duplication aspect (one policy per role, allows multiple roles per minion) (Improve Vault templating (policies, ext_pillar paths) #62674 Grains insecure for targeting sensitive data #43287)
• Manage policies with Salt states or Terraform, which tackles the boilerplate policy aspect

Additional context
https://discuss.hashicorp.com/t/saltstack-vault-and-host-role-policies/19214