diff --git a/website/content/docs/concepts/domain-model/credential-libraries.mdx b/website/content/docs/concepts/domain-model/credential-libraries.mdx index 0bdd4304ea..e97406dfd5 100644 --- a/website/content/docs/concepts/domain-model/credential-libraries.mdx +++ b/website/content/docs/concepts/domain-model/credential-libraries.mdx @@ -37,6 +37,40 @@ A Vault credential library has the following additional attributes: The body of the HTTP request the library sends to Vault when requesting credentials. Only valid if `http_method` is set to `POST`. +### Vault Credential Library Parameter Templating + +Some of the secrets engines that generate dynamic users for external systems provide the ability for Vault operators to customize how usernames are generated for those external systems. +For more information, refer to [Username Templating](https://developer.hashicorp.com/vault/docs/concepts/username-templating/). + +The following Vault template parameters are supported in Boundary. +Note that account values are tied to the account associated with the token used to make the call: + +- `{{.User.Id}}` - The user's ID. + + Prior to Boundary 0.11.1, `{{user.id}}` must be used instead. + Boundary 0.11.1+ changes this for consistency with other places within Boundary that are gaining templating support, but supports both formats for backwards compatibility. +- `{{.User.Name}}` - The user's name from the user resource. +- `{{.User.FullName}}` - The user's name from the account corresponding to the primary auth method in the user's scope. +This value may not be populated, or it may be different from the account name used in the template. +- `{{.User.Email}}` - The user's email address from the account corresponding to the primary auth method in the user's scope. +This value may not be populated, or it may be different from the account name used in the template. +- `{{.Account.Id}}` - The account's ID. + + Prior to Boundary 0.11.1, `{{account.id}}` must be used instead. + Boundary 0.11.1+ changes this for consistency with other places within Boundary that are gaining templating support, but supports both formats for backwards compatibility. +- `{{.Account.Name}}` - The name of the account from the account resource. +- `{{.Account.LoginName}}` - The account's login name, if a login name is used by that type of account. +- `{{.Account.Subject}}` - The account's subject, if a subject is used by that type of account. +- `{{.Account.Email}}` - The account's email, if email is used by that type of account. + +Additionally, there is currently a single function that strips the rest of a string after a specified substring. +This function is useful for pulling a user or account name from an email address. +The following example turns `foo@example.com` into `foo`: + +`{{truncateFrom .Account.Email "@"}}` + +The example above uses the account email, but it could be any other parameter. + ## Referenced By - [Credential][]