One of the pieces of data returned from the pathAuthLogin method is a list of Vault policy ids to apply to the login session. A core component of this plugin will be to generate those policy IDs from the SPIFFE ID contained in the SVID.

Purpose: Discuss the logic used to convert a SPIFFE ID into a list of policy IDs.

Problem

Given some SPIFFE ID like spiffe://trust-domain/path what is the best way to generate a list of Vault policy IDs such that different structures of SPIFFE IDs and Vault policy IDs can be supported? Ideally this plugin will not place any unnecessary requirements on the structures of either of those identifiers (if any requirements at all).

Thoughts

I'd suggest that a static translation (ie, not able to take into account alternative structures) to be something to avoid. Ideally the plugin can support some level of translation logic provided by the administrators of the Vault instance, whether via code, plugin, or some type of templating.