feat: manage terraform access to vault
- add approle for terraform, tf_vault - add policices to manage terraform access to vault - add policices for default access to vault from ldap users
This commit is contained in:
@@ -0,0 +1,3 @@
|
||||
path "auth/approle/role/*" {
|
||||
capabilities = ["create", "update", "read", "delete", "list"]
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
path "auth/approle/login" {
|
||||
capabilities = ["create"]
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
path "auth/ldap/*" {
|
||||
capabilities = ["create", "update", "read", "delete", "list"]
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
path "auth/token/create" {
|
||||
capabilities = ["create", "read", "update", "list"]
|
||||
}
|
||||
|
||||
path "auth/token/*" {
|
||||
capabilities = ["create", "update"]
|
||||
}
|
||||
@@ -0,0 +1,4 @@
|
||||
# Allow listing and reading tokens
|
||||
path "auth/token/lookup" {
|
||||
capabilities = ["read", "list"]
|
||||
}
|
||||
@@ -0,0 +1,4 @@
|
||||
# Allow renewing tokens
|
||||
path "auth/token/renew" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
path "auth/token/roles/*" {
|
||||
capabilities = ["create", "read", "update", "delete", "list"]
|
||||
}
|
||||
@@ -0,0 +1,14 @@
|
||||
# Allow tokens to query themselves
|
||||
path "auth/token/lookup-self" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
||||
# Allow tokens to renew themselves
|
||||
path "auth/token/renew-self" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
||||
# Allow tokens to revoke themselves
|
||||
path "auth/token/revoke-self" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
@@ -0,0 +1,15 @@
|
||||
path "pki_int/*" {
|
||||
capabilities = ["list", "read"]
|
||||
}
|
||||
|
||||
path "pki_root/*" {
|
||||
capabilities = ["list", "read"]
|
||||
}
|
||||
|
||||
path "ssh-host-signer/*" {
|
||||
capabilities = ["list", "read"]
|
||||
}
|
||||
|
||||
path "sshca/*" {
|
||||
capabilities = ["list", "read"]
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
path "kv/data/service/glauth/services/svc_vault" {
|
||||
capabilities = ["list", "read"]
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
path "pki_int/roles/*" {
|
||||
capabilities = ["create", "update", "read", "delete", "list"]
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
path "pki_root/roles/*" {
|
||||
capabilities = ["create", "update", "read", "delete", "list"]
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
path "ssh-host-signer/roles/*" {
|
||||
capabilities = ["create", "read", "update", "delete", "list"]
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
path "sshca/roles/*" {
|
||||
capabilities = ["create", "update", "read", "delete", "list"]
|
||||
}
|
||||
@@ -0,0 +1,4 @@
|
||||
# Allow reading audit logs related to secret engines
|
||||
path "sys/audit" {
|
||||
capabilities = ["read", "list"]
|
||||
}
|
||||
@@ -0,0 +1,4 @@
|
||||
# Allow creating and management of authentication backends (AppRole, LDAP, etc.)
|
||||
path "sys/auth/*" {
|
||||
capabilities = ["create", "update", "delete", "read", "list"]
|
||||
}
|
||||
@@ -0,0 +1,14 @@
|
||||
# Allow access to manage secret engines (mount, unmount, update)
|
||||
path "sys/mounts/*" {
|
||||
capabilities = ["create", "update", "delete", "read", "list"]
|
||||
}
|
||||
|
||||
# Allow tuning existing secret engines
|
||||
path "sys/mounts-tune/*" {
|
||||
capabilities = ["update", "read"]
|
||||
}
|
||||
|
||||
# Allow reaing and listing of enabled secret engines
|
||||
path "sys/mounts" {
|
||||
capabilities = ["read", "list"]
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
# Allow management of policies (create, update, delete, list, and read)
|
||||
path "sys/policies/acl/*" {
|
||||
capabilities = ["create", "update", "delete", "read", "list"]
|
||||
}
|
||||
|
||||
# Allow listing of available policies
|
||||
path "sys/policies/acl" {
|
||||
capabilities = ["read", "list"]
|
||||
}
|
||||
Reference in New Issue
Block a user