From f4170691e34b6c7cf54f2c2c94c274b1a615c541 Mon Sep 17 00:00:00 2001
From: hc-github-team-secure-vault-core
 <82990506+hc-github-team-secure-vault-core@users.noreply.github.com>
Date: Mon, 1 May 2023 07:32:35 -0400
Subject: [PATCH] backport of commit 884840a192bb03d71f638a848f48ec9c1aabbf0d
 (#20440)

Co-authored-by: miagilepner <mia.epner@hashicorp.com>
---
 changelog/20368.txt                  |  3 +++
 vault/identity_store_aliases.go      |  5 ++--
 vault/identity_store_aliases_test.go | 40 ++++++++++++++++++++++++++++
 3 files changed, 46 insertions(+), 2 deletions(-)
 create mode 100644 changelog/20368.txt

diff --git a/changelog/20368.txt b/changelog/20368.txt
new file mode 100644
index 000000000000..bca5957d1d29
--- /dev/null
+++ b/changelog/20368.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core/identity: Allow updates of only the custom-metadata for entity alias.
+```
\ No newline at end of file
diff --git a/vault/identity_store_aliases.go b/vault/identity_store_aliases.go
index 1fe3c3126e39..4a83a836511b 100644
--- a/vault/identity_store_aliases.go
+++ b/vault/identity_store_aliases.go
@@ -172,8 +172,9 @@ func (i *IdentityStore) handleAliasCreateUpdate() framework.OperationFunc {
 				}
 				switch {
 				case mountAccessor == "" && name == "":
-					// Just a canonical ID update, maybe
-					if canonicalID == "" {
+					// Check if the canonicalID or the customMetadata are being
+					// updated
+					if canonicalID == "" && !customMetadataExists {
 						// Nothing to do, so be idempotent
 						return nil, nil
 					}
diff --git a/vault/identity_store_aliases_test.go b/vault/identity_store_aliases_test.go
index 6c0f7a0f06cd..ba52d7358ef0 100644
--- a/vault/identity_store_aliases_test.go
+++ b/vault/identity_store_aliases_test.go
@@ -458,6 +458,46 @@ func TestIdentityStore_AliasUpdate(t *testing.T) {
 				"custom_metadata": map[string]string{},
 			},
 		},
+		{
+			name: "only-metadata",
+			createData: map[string]interface{}{
+				"name":           "only",
+				"mount_accessor": githubAccessor,
+				"custom_metadata": map[string]string{
+					"foo": "bar",
+				},
+			},
+			updateData: map[string]interface{}{
+				"custom_metadata": map[string]string{
+					"bar": "baz",
+				},
+			},
+		},
+		{
+			name: "only-metadata-clear",
+			createData: map[string]interface{}{
+				"name":           "only-clear",
+				"mount_accessor": githubAccessor,
+				"custom_metadata": map[string]string{
+					"foo": "bar",
+				},
+			},
+			updateData: map[string]interface{}{
+				"custom_metadata": map[string]string{},
+			},
+		},
+		{
+			name: "only-metadata-none-before",
+			createData: map[string]interface{}{
+				"name":           "no-metadata",
+				"mount_accessor": githubAccessor,
+			},
+			updateData: map[string]interface{}{
+				"custom_metadata": map[string]string{
+					"foo": "bar",
+				},
+			},
+		},
 	}
 
 	handleRequest := func(t *testing.T, req *logical.Request) *logical.Response {