74063d4d8a
Applying the gpg mount (#87) needs two grants the deployer lacks: it registers the plugin itself (vault_plugin -> sys/plugins/catalog, sudo-protected) and manages keys via the gpgvaultsecret provider (gpg/keys/*). The deployer already has sys/mounts/* but neither of these, so apply would 403 on the plugin registration and on gpg/keys writes. - Add policies/gpg/admin.yaml granting create/read/update/delete/sudo on sys/plugins/catalog/secret/vault-plugin-secrets-gpg and full management of gpg/keys/*, assigned to tf_vault (approle) + woodpecker_terraform_vault (k8s/au/syd1), mirroring policies/litellm/admin.yaml (#84).
36 lines
975 B
YAML
36 lines
975 B
YAML
# Allow the vault deployer to import the gpg plugin and manage its OpenPGP keys.
|
|
#
|
|
# terraform-vault registers the plugin itself (vault_plugin -> sys/plugins/catalog,
|
|
# a sudo-protected path) and manages keys via the gpgvaultsecret provider, so the
|
|
# deployer needs catalog access on top of the mount access it already has
|
|
# (sys/mounts/*). Without this, apply 403s on the plugin registration and on
|
|
# gpg/keys writes.
|
|
---
|
|
rules:
|
|
# Import / register (and deregister) the gpg plugin in the catalog.
|
|
- path: "sys/plugins/catalog/secret/vault-plugin-secrets-gpg"
|
|
capabilities:
|
|
- create
|
|
- read
|
|
- update
|
|
- delete
|
|
- sudo
|
|
# Manage keys (create/rotate/config/delete) in the gpg mount.
|
|
- path: "gpg/keys/*"
|
|
capabilities:
|
|
- create
|
|
- read
|
|
- update
|
|
- delete
|
|
- list
|
|
- path: "gpg/keys"
|
|
capabilities:
|
|
- read
|
|
- list
|
|
|
|
auth:
|
|
approle:
|
|
- tf_vault
|
|
k8s/au/syd1:
|
|
- woodpecker_terraform_vault
|