fix: grant vault deployer access to manage the litellm engine
Applying the litellm mount failed with 403 permission denied on PUT litellm/config: the deployer identity (tf_vault approle / woodpecker_terraform_vault k8s role) could enable the mount via sys/mounts/admin but had no policy covering the engine's own data paths. Add a litellm/admin policy granting create/read/update/delete on litellm/config and litellm/roles/*, assigned to the same auth roles as the other secret-engine admin policies.
This commit is contained in:
@@ -0,0 +1,26 @@
|
|||||||
|
# Allow management of the LiteLLM secrets engine (config and roles)
|
||||||
|
---
|
||||||
|
rules:
|
||||||
|
- path: "litellm/config"
|
||||||
|
capabilities:
|
||||||
|
- create
|
||||||
|
- update
|
||||||
|
- read
|
||||||
|
- delete
|
||||||
|
- path: "litellm/roles/*"
|
||||||
|
capabilities:
|
||||||
|
- create
|
||||||
|
- update
|
||||||
|
- delete
|
||||||
|
- read
|
||||||
|
- list
|
||||||
|
- path: "litellm/roles"
|
||||||
|
capabilities:
|
||||||
|
- read
|
||||||
|
- list
|
||||||
|
|
||||||
|
auth:
|
||||||
|
approle:
|
||||||
|
- tf_vault
|
||||||
|
k8s/au/syd1:
|
||||||
|
- woodpecker_terraform_vault
|
||||||
Reference in New Issue
Block a user