From aab72100fb2f8dd10ed0def677649a2ac0b45e9d Mon Sep 17 00:00:00 2001
From: Thy Ton <maithytonn@gmail.com>
Date: Thu, 1 Feb 2024 11:45:53 -0800
Subject: [PATCH] add new config option use_annotations_as_alias_metadata for
 k8s auth on api docs (#24941)

---
 website/content/api-docs/auth/kubernetes.mdx | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/website/content/api-docs/auth/kubernetes.mdx b/website/content/api-docs/auth/kubernetes.mdx
index b4db1ace3b..6fb84794d5 100644
--- a/website/content/api-docs/auth/kubernetes.mdx
+++ b/website/content/api-docs/auth/kubernetes.mdx
@@ -42,6 +42,10 @@ access the Kubernetes API.
   extracted. Not every installation of Kubernetes exposes these
   keys.
 - `disable_local_ca_jwt` `(bool: false)` - Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod.
+- `use_annotations_as_alias_metadata` `(bool: false)` - Use annotations from the client token's associated service account
+  as alias metadata for the Vault entity. Only annotations with the prefix `vault.hashicorp.com/alias-metadata-` will be used.
+  For example, if an annotation "vault.hashicorp.com/alias-metadata-foo" is configured, "foo" with its value will be added
+  to the alias metadata. NOTE: Vault will need permission to read service accounts from the Kubernetes API.
 
 ### Deprecated parameters