fix: grant vault deployer access to manage the litellm engine
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful

Applying the litellm mount failed with 403 permission denied on
PUT litellm/config: the deployer identity (tf_vault approle /
woodpecker_terraform_vault k8s role) could enable the mount via
sys/mounts/admin but had no policy covering the engine's own data paths.

Add a litellm/admin policy granting create/read/update/delete on
litellm/config and litellm/roles/*, assigned to the same auth roles as the
other secret-engine admin policies.
This commit is contained in:
2026-07-07 00:23:20 +10:00
parent 95e7a81b2e
commit 77662a6f10
+26
View File
@@ -0,0 +1,26 @@
# Allow management of the LiteLLM secrets engine (config and roles)
---
rules:
- path: "litellm/config"
capabilities:
- create
- update
- read
- delete
- path: "litellm/roles/*"
capabilities:
- create
- update
- delete
- read
- list
- path: "litellm/roles"
capabilities:
- read
- list
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault