diff --git a/vault/resource_pki_secret_backend_role.go b/vault/resource_pki_secret_backend_role.go
index 1accfeaf87..17081e3ad2 100644
--- a/vault/resource_pki_secret_backend_role.go
+++ b/vault/resource_pki_secret_backend_role.go
@@ -76,6 +76,13 @@ func pkiSecretBackendRoleResource() *schema.Resource {
 					Type: schema.TypeString,
 				},
 			},
+			"allowed_domains_template": {
+				Type:        schema.TypeBool,
+				Required:    false,
+				Optional:    true,
+				Description: "Flag to indicate that allowed_domains specifies an identity template",
+				Default:     false,
+			},
 			"allow_bare_domains": {
 				Type:        schema.TypeBool,
 				Required:    false,
@@ -349,6 +356,7 @@ func pkiSecretBackendRoleCreate(d *schema.ResourceData, meta interface{}) error
 		"allow_localhost":                    d.Get("allow_localhost"),
 		"allow_bare_domains":                 d.Get("allow_bare_domains"),
 		"allow_subdomains":                   d.Get("allow_subdomains"),
+		"allowed_domains_template":           d.Get("allowed_domains_template"),
 		"allow_glob_domains":                 d.Get("allow_glob_domains"),
 		"allow_any_name":                     d.Get("allow_any_name"),
 		"enforce_hostnames":                  d.Get("enforce_hostnames"),
@@ -471,6 +479,7 @@ func pkiSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error {
 	d.Set("max_ttl", secret.Data["max_ttl"])
 	d.Set("allow_localhost", secret.Data["allow_localhost"])
 	d.Set("allowed_domains", allowedDomains)
+	d.Set("allowed_domains_template", secret.Data["allowed_domains_template"])
 	d.Set("allow_bare_domains", secret.Data["allow_bare_domains"])
 	d.Set("allow_subdomains", secret.Data["allow_subdomains"])
 	d.Set("allow_glob_domains", secret.Data["allow_glob_domains"])
@@ -541,6 +550,7 @@ func pkiSecretBackendRoleUpdate(d *schema.ResourceData, meta interface{}) error
 		"max_ttl":                            d.Get("max_ttl"),
 		"allow_localhost":                    d.Get("allow_localhost"),
 		"allow_bare_domains":                 d.Get("allow_bare_domains"),
+		"allowed_domains_template":           d.Get("allowed_domains_template"),
 		"allow_subdomains":                   d.Get("allow_subdomains"),
 		"allow_glob_domains":                 d.Get("allow_glob_domains"),
 		"allow_any_name":                     d.Get("allow_any_name"),
diff --git a/vault/resource_pki_secret_backend_role_test.go b/vault/resource_pki_secret_backend_role_test.go
index 39181e5324..5960a0f619 100644
--- a/vault/resource_pki_secret_backend_role_test.go
+++ b/vault/resource_pki_secret_backend_role_test.go
@@ -75,8 +75,10 @@ func TestPkiSecretBackendRole_basic(t *testing.T) {
 					resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "ttl", "1800"),
 					resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "max_ttl", "3600"),
 					resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "allow_localhost", "true"),
-					resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "allowed_domains.#", "1"),
+					resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "allowed_domains.#", "2"),
 					resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "allowed_domains.0", "other.domain"),
+					resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "allowed_domains.1", "THIS_SHOULD_FAIL"),
+					resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "allowed_domains_template", "true"),
 					resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "allow_bare_domains", "false"),
 					resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "allow_subdomains", "true"),
 					resource.TestCheckResourceAttr("vault_pki_secret_backend_role.test", "allow_glob_domains", "false"),
@@ -179,7 +181,8 @@ resource "vault_pki_secret_backend_role" "test" {
   ttl = 1800
   max_ttl = 3600
   allow_localhost = true
-  allowed_domains = ["other.domain"]
+  allowed_domains = ["other.domain", "{{identity.entity.name}}"]
+  allowed_domains_template = true
   allow_bare_domains = false
   allow_subdomains = true
   allow_glob_domains = false
diff --git a/website/docs/r/pki_secret_backend_role.html.md b/website/docs/r/pki_secret_backend_role.html.md
index 6cd358e72d..4a4d71ee80 100644
--- a/website/docs/r/pki_secret_backend_role.html.md
+++ b/website/docs/r/pki_secret_backend_role.html.md
@@ -41,6 +41,8 @@ The following arguments are supported:
 
 * `allowed_domains` - (Optional) List of allowed domains for certificates 
 
+* `allowed_domains_template` - (Optional) Flag to indicate that `allowed_domains` specifies an identity template
+
 * `allow_bare_domains` - (Optional) Flag to allow certificates matching the actual domain
 
 * `allow_subdomains` - (Optional) Flag to allow certificates matching subdomains