From 3a07bd0bc4ed00a4ffdf4cae222e4e574d779f9e Mon Sep 17 00:00:00 2001
From: Elthariel <elthariel@gmail.com>
Date: Fri, 29 May 2020 02:54:56 +0200
Subject: [PATCH] doc: Add an example of templated policy using k8s metadata
 (#9101)

---
 website/pages/docs/concepts/policies.mdx | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/website/pages/docs/concepts/policies.mdx b/website/pages/docs/concepts/policies.mdx
index f7ccb14d9..5a5a5bc20 100644
--- a/website/pages/docs/concepts/policies.mdx
+++ b/website/pages/docs/concepts/policies.mdx
@@ -295,6 +295,29 @@ unique to the user, whereas names can change over time and can be reused. This
 ensures that if a given user or group name is changed, the policy will be
 mapped to the intended entity or group.
 
+If you want to use the metadata associated with an authentication plugin in your
+templates, you will need to get its _mount accessor_ and access it via the
+`aliases` key.
+
+You can get the mount accessor value using the following command:
+
+```shellsession
+$> vault auth list
+Path           Type          Accessor                    Description
+----           ----          --------                    -----------
+kubernetes/    kubernetes    auth_kubernetes_xxxx        n/a
+token/         token         auth_token_yyyy             token based credentials
+```
+
+The following templated policy allow to read the path associated with the
+Kubernetes service account namespace of the identity:
+
+```ruby
+path "secrets/data/{{identity.entity.aliases.auth_kubernetes_xxxx.metadata.service_account_namespace}}/*" {
+  capabilities = ["read"]
+}
+```
+
 ## Fine-Grained Control
 
 In addition to the standard set of capabilities, Vault offers finer-grained