fix: grant vault deployer access to manage the litellm engine #84

Merged
benvin merged 1 commits from benvin/litellm-deployer-policy into master 2026-07-07 20:10:43 +10:00
Owner

Why

Applying the newly-merged litellm mount (#83) failed at apply time with:

Error: failed to write litellm config
URL: PUT https://vault.service.consul:8200/v1/litellm/config
Code: 403. * permission denied

The deployer identity (tf_vault approle / woodpecker_terraform_vault k8s role) can enable the mount via sys/mounts/admin, but no policy grants it access to the engine's own data paths, so writing the config and roles is denied.

Changes

  • Add policies/litellm/admin.yaml granting create/read/update/delete on litellm/config and litellm/roles/* (plus read/list on litellm/roles), assigned to the same auth roles as the other secret-engine admin policies (tf_vault, woodpecker_terraform_vault).

Note

The policy attaches to the deployer's auth roles, so it takes effect on the next token issuance — a re-run of the apply (fresh Vault login) will have the permission and can write litellm/config and the roles.

## Why Applying the newly-merged litellm mount (#83) failed at apply time with: ``` Error: failed to write litellm config URL: PUT https://vault.service.consul:8200/v1/litellm/config Code: 403. * permission denied ``` The deployer identity (`tf_vault` approle / `woodpecker_terraform_vault` k8s role) can enable the mount via `sys/mounts/admin`, but no policy grants it access to the engine's own data paths, so writing the config and roles is denied. ## Changes - Add `policies/litellm/admin.yaml` granting `create`/`read`/`update`/`delete` on `litellm/config` and `litellm/roles/*` (plus `read`/`list` on `litellm/roles`), assigned to the same auth roles as the other secret-engine admin policies (`tf_vault`, `woodpecker_terraform_vault`). ## Note The policy attaches to the deployer's auth roles, so it takes effect on the next token issuance — a re-run of the apply (fresh Vault login) will have the permission and can write `litellm/config` and the roles.
unkinben added 1 commit 2026-07-07 00:25:27 +10:00
fix: grant vault deployer access to manage the litellm engine
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
77662a6f10
Applying the litellm mount failed with 403 permission denied on
PUT litellm/config: the deployer identity (tf_vault approle /
woodpecker_terraform_vault k8s role) could enable the mount via
sys/mounts/admin but had no policy covering the engine's own data paths.

Add a litellm/admin policy granting create/read/update/delete on
litellm/config and litellm/roles/*, assigned to the same auth roles as the
other secret-engine admin policies.
benvin merged commit a400e5dc7e into master 2026-07-07 20:10:43 +10:00
benvin deleted branch benvin/litellm-deployer-policy 2026-07-07 20:10:44 +10:00
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unkin/terraform-vault#84