From ce1185deba6d57b8e46c0abbe44c0a2450ede5a2 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Fri, 17 Jul 2026 23:09:31 +1000 Subject: [PATCH] Grant vault deployer access to import + manage the gpg engine (#88) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Why Applying the gpg mount (#87) needs two grants the deployer (`tf_vault` approle / `woodpecker_terraform_vault` k8s role) doesn't have. terraform-vault **registers the plugin itself** (`vault_plugin` → `sys/plugins/catalog`, a sudo-protected path) and **manages keys** via the gpgvaultsecret provider (`gpg/keys/*`). The deployer already has `sys/mounts/*` but neither of these, so apply would 403 on the plugin registration and on `gpg/keys` writes — the same failure mode as #84. ## Changes - Add `policies/gpg/admin.yaml` granting: - `create/read/update/delete/sudo` on `sys/plugins/catalog/secret/vault-plugin-secrets-gpg` — to **import** (register/deregister) the plugin. - full management of `gpg/keys/*` (+ `gpg/keys` list) — to **manage keys**. - assigned to `tf_vault` (approle) + `woodpecker_terraform_vault` (k8s/au/syd1), mirroring `policies/litellm/admin.yaml` (#84). Should merge/apply **before** #87 so the deployer can register the plugin and create the `pass` key. Reviewed-on: https://git.unkin.net/unkin/terraform-vault/pulls/88 Co-authored-by: Ben Vincent Co-committed-by: Ben Vincent --- policies/gpg/admin.yaml | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 policies/gpg/admin.yaml diff --git a/policies/gpg/admin.yaml b/policies/gpg/admin.yaml new file mode 100644 index 0000000..23d7955 --- /dev/null +++ b/policies/gpg/admin.yaml @@ -0,0 +1,35 @@ +# Allow the vault deployer to import the gpg plugin and manage its OpenPGP keys. +# +# terraform-vault registers the plugin itself (vault_plugin -> sys/plugins/catalog, +# a sudo-protected path) and manages keys via the gpgvaultsecret provider, so the +# deployer needs catalog access on top of the mount access it already has +# (sys/mounts/*). Without this, apply 403s on the plugin registration and on +# gpg/keys writes. +--- +rules: + # Import / register (and deregister) the gpg plugin in the catalog. + - path: "sys/plugins/catalog/secret/vault-plugin-secrets-gpg" + capabilities: + - create + - read + - update + - delete + - sudo + # Manage keys (create/rotate/config/delete) in the gpg mount. + - path: "gpg/keys/*" + capabilities: + - create + - read + - update + - delete + - list + - path: "gpg/keys" + capabilities: + - read + - list + +auth: + approle: + - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault