feat: manage terraform access to vault

- add approle for terraform, tf_vault
- add policices to manage terraform access to vault
- add policices for default access to vault from ldap users
This commit is contained in:
2024-09-26 22:59:40 +10:00
parent 582f38c68f
commit f78416361b
21 changed files with 152 additions and 16 deletions
@@ -0,0 +1,3 @@
path "auth/approle/role/*" {
capabilities = ["create", "update", "read", "delete", "list"]
}
@@ -0,0 +1,3 @@
path "auth/approle/login" {
capabilities = ["create"]
}
+3
View File
@@ -0,0 +1,3 @@
path "auth/ldap/*" {
capabilities = ["create", "update", "read", "delete", "list"]
}
@@ -0,0 +1,7 @@
path "auth/token/create" {
capabilities = ["create", "read", "update", "list"]
}
path "auth/token/*" {
capabilities = ["create", "update"]
}
@@ -0,0 +1,4 @@
# Allow listing and reading tokens
path "auth/token/lookup" {
capabilities = ["read", "list"]
}
+4
View File
@@ -0,0 +1,4 @@
# Allow renewing tokens
path "auth/token/renew" {
capabilities = ["update"]
}
@@ -0,0 +1,3 @@
path "auth/token/roles/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
+14
View File
@@ -0,0 +1,14 @@
# Allow tokens to query themselves
path "auth/token/lookup-self" {
capabilities = ["read"]
}
# Allow tokens to renew themselves
path "auth/token/renew-self" {
capabilities = ["update"]
}
# Allow tokens to revoke themselves
path "auth/token/revoke-self" {
capabilities = ["update"]
}
+15
View File
@@ -0,0 +1,15 @@
path "pki_int/*" {
capabilities = ["list", "read"]
}
path "pki_root/*" {
capabilities = ["list", "read"]
}
path "ssh-host-signer/*" {
capabilities = ["list", "read"]
}
path "sshca/*" {
capabilities = ["list", "read"]
}
@@ -0,0 +1,3 @@
path "kv/data/service/glauth/services/svc_vault" {
capabilities = ["list", "read"]
}
+3
View File
@@ -0,0 +1,3 @@
path "pki_int/roles/*" {
capabilities = ["create", "update", "read", "delete", "list"]
}
@@ -0,0 +1,3 @@
path "pki_root/roles/*" {
capabilities = ["create", "update", "read", "delete", "list"]
}
@@ -0,0 +1,3 @@
path "ssh-host-signer/roles/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
+3
View File
@@ -0,0 +1,3 @@
path "sshca/roles/*" {
capabilities = ["create", "update", "read", "delete", "list"]
}
+4
View File
@@ -0,0 +1,4 @@
# Allow reading audit logs related to secret engines
path "sys/audit" {
capabilities = ["read", "list"]
}
+4
View File
@@ -0,0 +1,4 @@
# Allow creating and management of authentication backends (AppRole, LDAP, etc.)
path "sys/auth/*" {
capabilities = ["create", "update", "delete", "read", "list"]
}
+14
View File
@@ -0,0 +1,14 @@
# Allow access to manage secret engines (mount, unmount, update)
path "sys/mounts/*" {
capabilities = ["create", "update", "delete", "read", "list"]
}
# Allow tuning existing secret engines
path "sys/mounts-tune/*" {
capabilities = ["update", "read"]
}
# Allow reaing and listing of enabled secret engines
path "sys/mounts" {
capabilities = ["read", "list"]
}
+9
View File
@@ -0,0 +1,9 @@
# Allow management of policies (create, update, delete, list, and read)
path "sys/policies/acl/*" {
capabilities = ["create", "update", "delete", "read", "list"]
}
# Allow listing of available policies
path "sys/policies/acl" {
capabilities = ["read", "list"]
}