Vault: Principals with SSH CA

Hi,

I am very interested in the new SSH CA functionality, and I saw that it was merged today. I was experimenting with it, and I'm having issues signing a key with principals.

Looking at the documentation, it looks as if reading a role should return a field called allowed_valid_principals, but it is not present, even if I add this field when creating the role:

Write role:

$ vault write ssh/roles/example_role ttl=4h allow_user_certificates=true key_type=ca allowed_valid_principals=test
Success! Data written to: ssh/roles/example_role

Read role:

$ vault read ssh/roles/example_role
Key                         Value
---                         -----
allow_bare_domains          false
allow_host_certificates     false
allow_subdomains            false
allow_user_certificates     true
allowed_critical_options
allowed_domains
allowed_extensions
allowed_users
default_critical_options    map[]
default_extensions          map[]
default_user
key_type                    ca
max_ttl                     768h0m0s
ttl                         4h0m0s

I also tried to sign with a provided principal to see if it worked anyway and received an error:

$ cat id_ecdsa.pub | vault write ssh/sign/example_role valid_principals=test public_key=-
Error writing data to ssh/sign/example_role: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/ssh/sign/example_role
Code: 500. Errors:

* 1 error occurred:

* "valid_principals" not in allowed list

I'm taking a look through the source code, as well, but I figured I should raise this. Thanks!