diff --git a/policies/rancher/admin.yaml b/policies/rancher/admin.yaml new file mode 100644 index 0000000..3b2c01a --- /dev/null +++ b/policies/rancher/admin.yaml @@ -0,0 +1,55 @@ +# Allow the vault deployer to import the rancher plugin and manage its engine +# (config, seeded service accounts, and roles). +# +# terraform-vault registers the plugin itself (vault_plugin -> sys/plugins/catalog, +# a sudo-protected path) and manages the engine via the ranchervaultsecret +# provider, so the deployer needs catalog access on top of the mount access it +# already has (sys/mounts/*). Without this, apply 403s on the plugin +# registration and on rancher/{config,service-accounts,roles} writes. +--- +rules: + # Import / register (and deregister) the rancher plugin in the catalog. + - path: "sys/plugins/catalog/secret/vault-plugin-secrets-rancher" + capabilities: + - create + - read + - update + - delete + - sudo + # Engine connection config. + - path: "rancher/config" + capabilities: + - create + - read + - update + - delete + # Seeded, auto-rotated service-account tokens (+ manual rotate). + - path: "rancher/service-accounts/*" + capabilities: + - create + - read + - update + - delete + - list + - path: "rancher/service-accounts" + capabilities: + - read + - list + # Token-minting roles. + - path: "rancher/roles/*" + capabilities: + - create + - read + - update + - delete + - list + - path: "rancher/roles" + capabilities: + - read + - list + +auth: + approle: + - tf_vault + k8s/au/syd1: + - woodpecker_terraform_vault