Vault Database backend: Cannot have '@' symbol in path #31613
Description
Is your feature request related to a problem? Please describe.
I'm trying to write a templated policy to allow users to have access to a list of roles they can use.
Instead of writing a policy rule per database role, the templated policy I want looks like:
path "dummy-database-engine/static-roles/{{identity.entity.aliases.<<mount accessor>>.name}}-*" {
capabilities = ["create", "update"]
}
In my case, the mount is an OIDC mount, and the entity alias name with the default plugin is the user_claim, which in my case is the user email
Without this PR, the @ character is invalid, so I cannot create a database role that will match this policy rule.
And I get the following error :
│ URL: PUT https://vault.customdomain.io/v1/dummy-database-engine/static-roles/[email protected]
│ Code: 404. Errors:
│
│ * 1 error occurred:
│ * unsupported path
│
│
│
Describe the solution you'd like
I'd like Vault to accept the @ character for database roles
Describe alternatives you've considered
Would need to change the OIDC mount, to change the user_claim, with one that don't have an @. As this is an organisation wide instance, such change would have a lot of impact for other users.
Additional context
This has already been done in the following issues: