hashicorp · victorr · Jul 16, 2025 · Jul 17, 2025 · Jul 18, 2025 · Jul 18, 2025
@@ -273,6 +273,10 @@ can only be set during role creation and once set, it can't be reset later.`,
 								Required:    true,
 								Description: "The maximum number of times a token may be used, a value of zero means unlimited",
 							},
+							"token_auth_metadata": {
+								Type:        framework.TypeKVPairs,
+								Description: "The metadata to be tied to generated tokens. This should be a list or map containing the metadata in key value pairs",
+							},
 							"period": {
 								Type:        framework.TypeInt64,
 								Required:    false,

@@ -631,11 +631,12 @@ func TestAwsEc2_RoleCrud(t *testing.T) {
 		"token_bound_cidrs":              []string{},
 		"token_no_default_policy":        false,
 		"token_num_uses":                 0,
+		"token_auth_metadata":            map[string]string{},
 		"token_type":                     "default",
 	}
 
 	if resp.Data["role_id"] == nil {
-		t.Fatal("role_id not found in repsonse")
+		t.Fatal("role_id not found in response")
 	}
 	expected["role_id"] = resp.Data["role_id"]
 	if diff := deep.Equal(expected, resp.Data); diff != nil {

@@ -1356,6 +1356,7 @@ func TestLdapAuthBackend_ConfigUpgrade(t *testing.T) {
 		TokenParams: tokenutil.TokenParams{
 			TokenPeriod:         5 * time.Minute,
 			TokenExplicitMaxTTL: 24 * time.Hour,
+			TokenAuthMetadata:   make(map[string]string),
 		},
 		ConfigEntry: &ldaputil.ConfigEntry{
 			Url:                      cfg.Url,

@@ -0,0 +1,27 @@
+```release-note:improvement
+auth/approle: Add ability to specify custom Auth metadata via new role creation parameter `token_auth_metadata`.
+```
+```release-note:improvement
+auth/aws: Add ability to specify custom Auth metadata via new role creation parameter `token_auth_metadata`.
+```
+```release-note:improvement
+auth/github: Add ability to specify custom Auth metadata via new configuration parameter `token_auth_metadata`.
+```
+```release-note:improvement
+auth/ldap: Add ability to specify custom Auth metadata via new role configuration parameter `token_auth_metadata`.
+```
+```release-note:improvement
+auth/okta: Add ability to specify custom Auth metadata via new role configuration parameter `token_auth_metadata`.
+```
+```release-note:improvement
+auth/radius: Add ability to specify custom Auth metadata via new role configuration parameter `token_auth_metadata`.
+```
+```release-note:improvement
+auth/scep (enterprise): Add ability to specify custom Auth metadata via new role creation parameter `token_auth_metadata`.
+```
+```release-note:improvement
+auth/cert: Add ability to specify custom Auth metadata via new CA certificate role creation parameter `token_auth_metadata`.
+```
+```release-note:improvement
+auth/userpass: Add ability to specify custom Auth metadata via new user creation parameter `token_auth_metadata`.
+```
@@ -47,6 +47,9 @@ type TokenParams struct {
 
 	// The TTL to user for the token
 	TokenTTL time.Duration `json:"token_ttl" mapstructure:"token_ttl"`
+
+	// The metadata to attach to the authentication information.
+	TokenAuthMetadata map[string]string `json:"token_auth_metadata" mapstructure:"token_auth_metadata"`
 }
 
 // AddTokenFields adds fields to an existing role. It panics if it would
@@ -157,6 +160,15 @@ func TokenFields() map[string]*framework.FieldSchema {
 				Group: "Tokens",
 			},
 		},
+
+		"token_auth_metadata": {
+			Type:        framework.TypeKVPairs,
+			Description: "The metadata to be tied to generated tokens. This should be a JSON formatted string containing the metadata in key value pairs",
+			DisplayAttrs: &framework.DisplayAttributes{
+				Name:  "Token Auth Metadata",
+				Group: "Tokens",
+			},
+		},
 	}
 }
 
@@ -238,6 +250,11 @@ func (t *TokenParams) ParseTokenFields(req *logical.Request, d *framework.FieldD
 		return errors.New("'token_ttl' cannot be greater than 'token_max_ttl'")
 	}
 
+	t.TokenAuthMetadata = make(map[string]string)
+	if tokenMetadataRaw, ok := d.GetOk("token_auth_metadata"); ok {
+		t.TokenAuthMetadata = tokenMetadataRaw.(map[string]string)
+	}
+
 	return nil
 }
 
@@ -252,6 +269,7 @@ func (t *TokenParams) PopulateTokenData(m map[string]interface{}) {
 	m["token_type"] = t.TokenType.String()
 	m["token_ttl"] = int64(t.TokenTTL.Seconds())
 	m["token_num_uses"] = t.TokenNumUses
+	m["token_auth_metadata"] = t.TokenAuthMetadata
 
 	if len(t.TokenPolicies) == 0 {
 		m["token_policies"] = []string{}
@@ -260,6 +278,10 @@ func (t *TokenParams) PopulateTokenData(m map[string]interface{}) {
 	if len(t.TokenBoundCIDRs) == 0 {
 		m["token_bound_cidrs"] = []string{}
 	}
+
+	if len(t.TokenAuthMetadata) == 0 {
+		m["token_auth_metadata"] = map[string]string{}
+	}
 }
 
 // PopulateTokenAuth populates Auth with parameters
@@ -274,6 +296,18 @@ func (t *TokenParams) PopulateTokenAuth(auth *logical.Auth) {
 	auth.TokenType = t.TokenType
 	auth.TTL = t.TokenTTL
 	auth.NumUses = t.TokenNumUses
+
+	if len(t.TokenAuthMetadata) > 0 {
+		if auth.Metadata == nil {
+			auth.Metadata = map[string]string{}
+		}
+		for k, v := range t.TokenAuthMetadata {
+			if _, ok := auth.Metadata[k]; !ok {
+				// Do not override metadata with the same key added by the caller
+				auth.Metadata[k] = v
+			}
+		}
+	}
 }
 
 func DeprecationText(param string) string {