policies: let terraform-authentik read its provider API token #82
@@ -1,9 +1,12 @@
|
||||
# Allow the Terraform Authentik runner to read OAuth2/OIDC client secrets that
|
||||
# back authentik providers. Secrets live under each target service's kv
|
||||
# namespace path (kv/kubernetes/namespace/<ns>/default/oauth-credentials) and
|
||||
# are read by the module's data.vault_kv_secret_v2 lookups.
|
||||
# Allow the Terraform Authentik runner to read:
|
||||
# - its own Authentik API token (provider auth), and
|
||||
# - OAuth2/OIDC client secrets that back authentik providers (per target
|
||||
# service's kv namespace path, via the module's data.vault_kv_secret_v2).
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/terraform/authentik"
|
||||
capabilities:
|
||||
- read
|
||||
- path: "kv/data/kubernetes/namespace/+/default/oauth-credentials"
|
||||
capabilities:
|
||||
- read
|
||||
|
||||
Reference in New Issue
Block a user