add role to alias metadata

path_login.go

@@ -25,13 +25,15 @@ const (
 	metadataKeySAName       = "service_account_name"
 	metadataKeySANamespace  = "service_account_namespace"
 	metadataKeySASecretName = "service_account_secret_name"
+	metadataKeyRole         = "role"
 )
 
 var reservedAliasMetadataKeys = map[string]struct{}{
 	metadataKeySAUID:        {},
 	metadataKeySAName:       {},
 	metadataKeySANamespace:  {},
 	metadataKeySASecretName: {},
+	metadataKeyRole:         {},
 }
 
 // defaultJWTIssuer is used to verify the iss header on the JWT if the config doesn't specify an issuer.
@@ -205,6 +207,7 @@ func (b *kubeAuthBackend) pathLogin(ctx context.Context, req *logical.Request, d
 	metadata[metadataKeySAName] = sa.name()
 	metadata[metadataKeySANamespace] = sa.namespace()
 	metadata[metadataKeySASecretName] = sa.SecretName
+	metadata[metadataKeyRole] = roleName
 
 	auth := &logical.Auth{
 		Alias: &logical.Alias{
@@ -219,7 +222,7 @@ func (b *kubeAuthBackend) pathLogin(ctx context.Context, req *logical.Request, d
 			metadataKeySAName:       sa.name(),
 			metadataKeySANamespace:  sa.namespace(),
 			metadataKeySASecretName: sa.SecretName,
-			"role":                  roleName,
+			metadataKeyRole:         roleName,
 		},
 		DisplayName: fmt.Sprintf("%s-%s", sa.namespace(), sa.name()),
 	}

path_login_test.go

@@ -885,6 +885,18 @@ func TestLoginEntityAliasMetadataAssignment(t *testing.T) {
 			t.Fatalf("expected value %q got %q for key %q", expV, v, expK)
 		}
 	}
+
+	expK := "role"
+	expV := data["role"]
+	v, ok := resp.Auth.Alias.Metadata["role"]
+
+	if !ok {
+		t.Fatalf("expected key %q not found", expK)
+	}
+
+	if v != expV {
+		t.Fatalf("expected value %q got %q for key %q", expV, v, expK)
+	}
 }
 
 func TestAliasLookAhead(t *testing.T) {