fix: grant vault deployer access to manage the litellm engine (#84)
ci/woodpecker/push/apply Pipeline was successful
ci/woodpecker/push/apply Pipeline was successful
## Why Applying the newly-merged litellm mount (#83) failed at apply time with: ``` Error: failed to write litellm config URL: PUT https://vault.service.consul:8200/v1/litellm/config Code: 403. * permission denied ``` The deployer identity (`tf_vault` approle / `woodpecker_terraform_vault` k8s role) can enable the mount via `sys/mounts/admin`, but no policy grants it access to the engine's own data paths, so writing the config and roles is denied. ## Changes - Add `policies/litellm/admin.yaml` granting `create`/`read`/`update`/`delete` on `litellm/config` and `litellm/roles/*` (plus `read`/`list` on `litellm/roles`), assigned to the same auth roles as the other secret-engine admin policies (`tf_vault`, `woodpecker_terraform_vault`). ## Note The policy attaches to the deployer's auth roles, so it takes effect on the next token issuance — a re-run of the apply (fresh Vault login) will have the permission and can write `litellm/config` and the roles. Reviewed-on: #84 Co-authored-by: Ben Vincent <ben@unkin.net> Co-committed-by: Ben Vincent <ben@unkin.net>
This commit was merged in pull request #84.
This commit is contained in:
@@ -0,0 +1,26 @@
|
||||
# Allow management of the LiteLLM secrets engine (config and roles)
|
||||
---
|
||||
rules:
|
||||
- path: "litellm/config"
|
||||
capabilities:
|
||||
- create
|
||||
- update
|
||||
- read
|
||||
- delete
|
||||
- path: "litellm/roles/*"
|
||||
capabilities:
|
||||
- create
|
||||
- update
|
||||
- delete
|
||||
- read
|
||||
- list
|
||||
- path: "litellm/roles"
|
||||
capabilities:
|
||||
- read
|
||||
- list
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- tf_vault
|
||||
k8s/au/syd1:
|
||||
- woodpecker_terraform_vault
|
||||
Reference in New Issue
Block a user