Applying the litellm mount failed with 403 permission denied on
PUT litellm/config: the deployer identity (tf_vault approle /
woodpecker_terraform_vault k8s role) could enable the mount via
sys/mounts/admin but had no policy covering the engine's own data paths.
Add a litellm/admin policy granting create/read/update/delete on
litellm/config and litellm/roles/*, assigned to the same auth roles as the
other secret-engine admin policies.
The vault-plugin-secrets-litellm engine mints LiteLLM virtual keys and is
now registered in Vault, but nothing declared its mount/config or roles in
this repo. Wire in the companion litellm provider so the mount is managed
as code alongside the other secret backends.
- Add litellm_secret_backend module: mounts the engine and writes its
config (base_url, request_timeout_seconds); reads master_key from KV
- Add litellm_secret_backend_role module: manages roles (models,
max_budget, key_alias_prefix, ttl/max_ttl seconds, metadata)
- Register both modules in vault_cluster main.tf and variables.tf
- Discover litellm_secret_backend[_role] YAML in config.hcl and pass them
through terragrunt inputs
- Declare the litellm provider (litellmvaultsecret) and
a provider block in the generated root backend.tf
- Add example config for the litellm mount and a sample role