# Allow the vault deployer to import the gpg plugin and manage its OpenPGP keys. # # terraform-vault registers the plugin itself (vault_plugin -> sys/plugins/catalog, # a sudo-protected path) and manages keys via the gpgvaultsecret provider, so the # deployer needs catalog access on top of the mount access it already has # (sys/mounts/*). Without this, apply 403s on the plugin registration and on # gpg/keys writes. --- rules: # Import / register (and deregister) the gpg plugin in the catalog. - path: "sys/plugins/catalog/secret/vault-plugin-secrets-gpg" capabilities: - create - read - update - delete - sudo # Manage keys (create/rotate/config/delete) in the gpg mount. - path: "gpg/keys/*" capabilities: - create - read - update - delete - list - path: "gpg/keys" capabilities: - read - list auth: approle: - tf_vault k8s/au/syd1: - woodpecker_terraform_vault