From 77662a6f10dd501d90d4c14c6b7aba53eabf88c7 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Tue, 7 Jul 2026 00:23:20 +1000 Subject: [PATCH] fix: grant vault deployer access to manage the litellm engine Applying the litellm mount failed with 403 permission denied on PUT litellm/config: the deployer identity (tf_vault approle / woodpecker_terraform_vault k8s role) could enable the mount via sys/mounts/admin but had no policy covering the engine's own data paths. Add a litellm/admin policy granting create/read/update/delete on litellm/config and litellm/roles/*, assigned to the same auth roles as the other secret-engine admin policies. --- policies/litellm/admin.yaml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 policies/litellm/admin.yaml diff --git a/policies/litellm/admin.yaml b/policies/litellm/admin.yaml new file mode 100644 index 0000000..321df20 --- /dev/null +++ b/policies/litellm/admin.yaml @@ -0,0 +1,26 @@ +# Allow management of the LiteLLM secrets engine (config and roles) +--- +rules: + - path: "litellm/config" + capabilities: + - create + - update + - read + - delete + - path: "litellm/roles/*" + capabilities: + - create + - update + - delete + - read + - list + - path: "litellm/roles" + capabilities: + - read + - list + +auth: + approle: + - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault -- 2.47.3