fix: grant vault deployer access to manage the litellm engine #84
Reference in New Issue
Block a user
Delete Branch "benvin/litellm-deployer-policy"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Why
Applying the newly-merged litellm mount (#83) failed at apply time with:
The deployer identity (
tf_vaultapprole /woodpecker_terraform_vaultk8s role) can enable the mount viasys/mounts/admin, but no policy grants it access to the engine's own data paths, so writing the config and roles is denied.Changes
policies/litellm/admin.yamlgrantingcreate/read/update/deleteonlitellm/configandlitellm/roles/*(plusread/listonlitellm/roles), assigned to the same auth roles as the other secret-engine admin policies (tf_vault,woodpecker_terraform_vault).Note
The policy attaches to the deployer's auth roles, so it takes effect on the next token issuance — a re-run of the apply (fresh Vault login) will have the permission and can write
litellm/configand the roles.