Bandwidth · noahg1 · Sep 15, 2025
@@ -8,7 +8,6 @@ import (
 	"fmt"
 	"net/http"
 	"strings"
-	"time"
 
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/logical"
@@ -104,9 +103,9 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
 		return logical.ErrorResponse("missing vmname"), nil
 	}
 
-	role := d.Get("role").(string)
+	roleName := d.Get("role").(string)
 
-	if role == "" {
+	if roleName == "" {
 		return logical.ErrorResponse("missing role"), nil
 	}
 
@@ -143,7 +142,7 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
 		return logical.ErrorResponse("Invalid VM name"), nil
 	}
 
-	if role != vmoutput.Role {
+	if roleName != vmoutput.Role {
 		return logical.ErrorResponse("Invalid role"), nil
 	}
 
@@ -155,30 +154,26 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
 		return logical.ErrorResponse("Invalid secret key"), nil
 	}
 
-	vmdata, _ := b.role(ctx, req.Storage, role)
+	role, _ := b.role(ctx, req.Storage, roleName)
 
-	policies := vmdata.Policies
+	policies := role.TokenPolicies
 
-	resp := &logical.Response{
-		Auth: &logical.Auth{
-			Metadata: map[string]string{
-				"vmname":   vmname,
-				"policies": strings.Join(policies, ","),
-			},
-			DisplayName: vmname,
-			LeaseOptions: logical.LeaseOptions{
-				TTL:       30 * time.Minute,
-				MaxTTL:    60 * time.Minute,
-				Renewable: true,
-			},
-			Alias: &logical.Alias{
-				Name: vmname,
-			},
+	auth := &logical.Auth{
+		Metadata: map[string]string{
+			"vmname":   vmname,
+			"policies": strings.Join(policies, ","),
+		},
+		DisplayName: vmname,
+		Alias: &logical.Alias{
+			Name: vmname,
 		},
 	}
-	resp.Auth.Policies = append(resp.Auth.Policies, policies...)
 
-	return resp, nil
+	role.PopulateTokenAuth(auth)
+
+	return &logical.Response{
+		Auth: auth,
+	}, nil
 }
 
 const pathLoginSyn = `

@@ -7,6 +7,7 @@ import (
 
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/policyutil"
+	"github.com/hashicorp/vault/sdk/helper/tokenutil"
 	"github.com/hashicorp/vault/sdk/logical"
 )
 
@@ -24,17 +25,17 @@ func pathListRoles(b *backend) *framework.Path {
 }
 
 func pathRoles(b *backend) *framework.Path {
-	return &framework.Path{
+	p := &framework.Path{
 		Pattern: "role/" + framework.GenericNameRegex("role"),
 		Fields: map[string]*framework.FieldSchema{
 			"role": {
 				Type:        framework.TypeString,
 				Description: "Role associated with the virtual machine.",
 			},
-
 			"policies": {
 				Type:        framework.TypeCommaStringSlice,
-				Description: "Comma-separated list of policies associated to the vm.",
+				Description: tokenutil.DeprecationText("token_policies"),
+				Deprecated:  true,
 			},
 		},
 
@@ -48,6 +49,9 @@ func pathRoles(b *backend) *framework.Path {
 		HelpSynopsis:    pathUserHelpSyn,
 		HelpDescription: pathUserHelpDesc,
 	}
+
+	tokenutil.AddTokenFields(p.Fields)
+	return p
 }
 
 func (b *backend) pathRoleDelete(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
@@ -131,8 +135,11 @@ func (b *backend) pathRoleList(ctx context.Context, req *logical.Request, d *fra
 
 // RoleEntry stores all the options that are set on a VM
 type RoleEntry struct {
-	Role     string
-	Policies []string
+	tokenutil.TokenParams
+	// Role is the role name
+	Role string
+	// Deprecated by TokenParams
+	Policies []string `json:"policies"`
 }
 
 const pathUserHelpSyn = `