From 378e96f01037b06acaa5c48a4c83fed05b5e901e Mon Sep 17 00:00:00 2001
From: Vault Automation <github-team-secure-vault-core@hashicorp.com>
Date: Fri, 17 Oct 2025 14:06:51 -0400
Subject: [PATCH] Change tokenutil alias_metadata to populate alias custom
 metadata. (#10199) (#10202)

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
---
 changelog/_10199.txt    | 27 +++++++++++++++++++++++++++
 vault/identity_store.go | 15 ++++++++-------
 2 files changed, 35 insertions(+), 7 deletions(-)
 create mode 100644 changelog/_10199.txt

diff --git a/changelog/_10199.txt b/changelog/_10199.txt
new file mode 100644
index 0000000000..540563a41f
--- /dev/null
+++ b/changelog/_10199.txt
@@ -0,0 +1,27 @@
+```release-note:bug
+auth/approle (enterprise): Role parameter `alias_metadata` now populates alias custom metadata field instead of alias metadata.
+```
+```release-note:bug
+auth/aws (enterprise): Role parameter `alias_metadata` now populates alias custom metadata field instead of alias metadata.
+```
+```release-note:bug
+auth/github (enterprise): Role parameter `alias_metadata` now populates alias custom metadata field instead of alias metadata.
+```
+```release-note:bug
+auth/ldap (enterprise): Role parameter `alias_metadata` now populates alias custom metadata field instead of alias metadata.
+```
+```release-note:bug
+auth/okta (enterprise): Role parameter `alias_metadata` now populates alias custom metadata field instead of alias metadata.
+```
+```release-note:bug
+auth/radius (enterprise): Role parameter `alias_metadata` now populates alias custom metadata field instead of alias metadata.
+```
+```release-note:bug
+auth/scep (enterprise): Role parameter `alias_metadata` now populates alias custom metadata field instead of alias metadata.
+```
+```release-note:bug
+auth/cert (enterprise): Role parameter `alias_metadata` now populates alias custom metadata field instead of alias metadata.
+```
+```release-note:bug
+auth/userpass (enterprise): Role parameter `alias_metadata` now populates alias custom metadata field instead of alias metadata.
+```
diff --git a/vault/identity_store.go b/vault/identity_store.go
index b99a6c3200..e160831570 100644
--- a/vault/identity_store.go
+++ b/vault/identity_store.go
@@ -1388,13 +1388,14 @@ func (i *IdentityStore) CreateOrFetchEntity(ctx context.Context, alias *logical.
 
 		// Create a new alias
 		newAlias := &identity.Alias{
-			CanonicalID:   entity.ID,
-			Name:          alias.Name,
-			MountAccessor: alias.MountAccessor,
-			Metadata:      alias.Metadata,
-			MountPath:     mountValidationResp.MountPath,
-			MountType:     mountValidationResp.MountType,
-			Local:         alias.Local,
+			CanonicalID:    entity.ID,
+			Name:           alias.Name,
+			MountAccessor:  alias.MountAccessor,
+			Metadata:       alias.Metadata,
+			MountPath:      mountValidationResp.MountPath,
+			MountType:      mountValidationResp.MountType,
+			Local:          alias.Local,
+			CustomMetadata: alias.CustomMetadata,
 		}
 
 		err = i.sanitizeAlias(ctx, newAlias)