Grant vault deployer access to import + manage the gpg engine #88

Merged
benvin merged 1 commits from benvin/gpg-deployer-access into master 2026-07-17 23:09:31 +10:00
Owner

Why

Applying the gpg mount (#87) needs two grants the deployer (tf_vault approle / woodpecker_terraform_vault k8s role) doesn't have. terraform-vault registers the plugin itself (vault_pluginsys/plugins/catalog, a sudo-protected path) and manages keys via the gpgvaultsecret provider (gpg/keys/*). The deployer already has sys/mounts/* but neither of these, so apply would 403 on the plugin registration and on gpg/keys writes — the same failure mode as #84.

Changes

  • Add policies/gpg/admin.yaml granting:
    • create/read/update/delete/sudo on sys/plugins/catalog/secret/vault-plugin-secrets-gpg — to import (register/deregister) the plugin.
    • full management of gpg/keys/* (+ gpg/keys list) — to manage keys.
    • assigned to tf_vault (approle) + woodpecker_terraform_vault (k8s/au/syd1), mirroring policies/litellm/admin.yaml (#84).

Should merge/apply before #87 so the deployer can register the plugin and create the pass key.

## Why Applying the gpg mount (#87) needs two grants the deployer (`tf_vault` approle / `woodpecker_terraform_vault` k8s role) doesn't have. terraform-vault **registers the plugin itself** (`vault_plugin` → `sys/plugins/catalog`, a sudo-protected path) and **manages keys** via the gpgvaultsecret provider (`gpg/keys/*`). The deployer already has `sys/mounts/*` but neither of these, so apply would 403 on the plugin registration and on `gpg/keys` writes — the same failure mode as #84. ## Changes - Add `policies/gpg/admin.yaml` granting: - `create/read/update/delete/sudo` on `sys/plugins/catalog/secret/vault-plugin-secrets-gpg` — to **import** (register/deregister) the plugin. - full management of `gpg/keys/*` (+ `gpg/keys` list) — to **manage keys**. - assigned to `tf_vault` (approle) + `woodpecker_terraform_vault` (k8s/au/syd1), mirroring `policies/litellm/admin.yaml` (#84). Should merge/apply **before** #87 so the deployer can register the plugin and create the `pass` key.
unkinben added 1 commit 2026-07-17 22:52:36 +10:00
fix: grant vault deployer access to import + manage the gpg engine
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
74063d4d8a
Applying the gpg mount (#87) needs two grants the deployer lacks: it registers
the plugin itself (vault_plugin -> sys/plugins/catalog, sudo-protected) and
manages keys via the gpgvaultsecret provider (gpg/keys/*). The deployer already
has sys/mounts/* but neither of these, so apply would 403 on the plugin
registration and on gpg/keys writes.

- Add policies/gpg/admin.yaml granting create/read/update/delete/sudo on
  sys/plugins/catalog/secret/vault-plugin-secrets-gpg and full management of
  gpg/keys/*, assigned to tf_vault (approle) + woodpecker_terraform_vault
  (k8s/au/syd1), mirroring policies/litellm/admin.yaml (#84).
benvin merged commit ce1185deba into master 2026-07-17 23:09:31 +10:00
benvin deleted branch benvin/gpg-deployer-access 2026-07-17 23:09:31 +10:00
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unkin/terraform-vault#88