fix: grant vault deployer access to manage the litellm engine
Applying the litellm mount failed with 403 permission denied on PUT litellm/config: the deployer identity (tf_vault approle / woodpecker_terraform_vault k8s role) could enable the mount via sys/mounts/admin but had no policy covering the engine's own data paths. Add a litellm/admin policy granting create/read/update/delete on litellm/config and litellm/roles/*, assigned to the same auth roles as the other secret-engine admin policies.
This commit is contained in:
@@ -0,0 +1,26 @@
|
||||
# Allow management of the LiteLLM secrets engine (config and roles)
|
||||
---
|
||||
rules:
|
||||
- path: "litellm/config"
|
||||
capabilities:
|
||||
- create
|
||||
- update
|
||||
- read
|
||||
- delete
|
||||
- path: "litellm/roles/*"
|
||||
capabilities:
|
||||
- create
|
||||
- update
|
||||
- delete
|
||||
- read
|
||||
- list
|
||||
- path: "litellm/roles"
|
||||
capabilities:
|
||||
- read
|
||||
- list
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- tf_vault
|
||||
k8s/au/syd1:
|
||||
- woodpecker_terraform_vault
|
||||
Reference in New Issue
Block a user