From 0776fac6eb7d1725d6fa339e449cec9890bc368b Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 30 Nov 2025 21:24:06 +1100
Subject: [PATCH] chore: fix policies for rpmbuilder

- missed the `/read` on the end
---
 auth_approle_rpmbuilder.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/auth_approle_rpmbuilder.tf b/auth_approle_rpmbuilder.tf
index 9a44d0a..609189c 100644
--- a/auth_approle_rpmbuilder.tf
+++ b/auth_approle_rpmbuilder.tf
@@ -2,8 +2,8 @@ resource "vault_approle_auth_backend_role" "rpmbuilder" {
   role_name      = "rpmbuilder"
   bind_secret_id = false
   token_policies = [
-    "kv/service/github/neoloc/tokens/read-only-token",
-    "kv/service/gitea/unkinben/tokens/read-only-packages",
+    "kv/service/github/neoloc/tokens/read-only-token/read",
+    "kv/service/gitea/unkinben/tokens/read-only-packages/read",
   ]
   token_ttl     = 30
   token_max_ttl = 30