policies: let terraform-authentik read oauth client secrets from kv #81
Reference in New Issue
Block a user
Delete Branch "benvin/authentik-oauth-kv"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Why
terraform-authentik now reads OAuth2 client secrets from Vault (
data.vault_kv_secret_v2) rather than committing them (terraform-authentik #2). But theterraform_authentikapprole /woodpecker_terraform_authentikk8s role only had the consul-creds policy, soplanfails with permission denied on the grafana oauth path.Change
Add
policies/kv/service/terraform/authentik.yamlgranting read onkv/data/kubernetes/namespace/+/default/oauth-credentialsfor both the approle and the woodpecker k8s role.