Enriching Vault OIDC Tokens with SPIFFE Identity Metadata using Terraform

HashiCorp Vault’s Identity Secrets Engine now issues OIDC tokens with SPIFFE metadata for microservices. A PowerShell test decoded a token containing spiffe_id, business_unit, and environment.

Why This Matters

Modern microservices require machine identities to carry metadata like environment or business unit for authorization. Without binding AppRole to Identity Entities, tokens remain generic, risking misconfigured access controls. Vault’s template system dynamically injects metadata, reducing reliance on static IP-based policies.

Key Insights

“AppRole bound to Identity Entities via Entity Aliases for metadata injection”: [Context]
“OIDC Templates dynamically inject metadata like spiffe_id and business_unit”: [Context]
“Vault used by companies for machine identity management”: [Context]

Working Example

# identities.tf
resource "vault_identity_entity" "application" {
  for_each = local.application_identities_map
  name     = each.key
  metadata = {
    environment     = each.value.identity.environment
    business_unit   = each.value.identity.business_unit
    spiffe_id       = "spiffe://vault/application/${each.value.identity.environment}/${each.value.identity.business_unit}/${each.value.identity.name}"
  }
}

# PowerShell test
$OIDC_TOKEN = docker-compose exec -e VAULT_TOKEN="$APPTOKEN" vault vault read -field=token identity/oidc/token/application_identity

Practical Applications

Use Case: “ChatBot service using Vault tokens with environment-specific access rules”
Pitfall: “Forgetting to bind AppRole to Entity Alias causes metadata loss in tokens”

References:

On This Page

Enriching Vault OIDC Tokens with SPIFFE Identity Metadata using Terraform