Files
terraform-vault/policies/rancher/admin.yaml
T
unkinben 7da23d47fe
ci/woodpecker/push/apply Pipeline was successful
Grant vault deployer access to import + manage the rancher engine (#91)
## Why

Wiring the new Rancher token secrets engine into Vault. The deployer registers the plugin (sudo-protected `sys/plugins/catalog`) and configures the engine via the ranchervaultsecret provider, so it needs catalog + engine-path access. Mirrors #88 (gpg).

## Changes

- Add `policies/rancher/admin.yaml` granting the `tf_vault` approle and `woodpecker_terraform_vault` k8s role: catalog sudo on `vault-plugin-secrets-rancher`, and manage on `rancher/{config,service-accounts,roles}`.

## Merge order

Part 1 of 4. Merge before the plugin-import and backend PRs so apply doesn't 403. (Puppet install + this policy first, then import, then backend.)

---------

Co-authored-by: Ben Vincent <neotheo@gmail.com>
Reviewed-on: #91
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-07-18 14:34:54 +10:00

46 lines
1.1 KiB
YAML

# Allow the vault deployer to manage the rancher secrets engine: its connection
# config, seeded (auto-rotated) service-account tokens, and token-minting roles.
#
# Scoped to rancher/* only. The plugin-catalog grant needed to import the plugin
# lives under policies/sys/plugins/catalog/ so a code owner of this policy path
# cannot grant themselves access outside the rancher mount.
---
rules:
# Engine connection config.
- path: "rancher/config"
capabilities:
- create
- read
- update
- delete
# Seeded, auto-rotated service-account tokens (+ manual rotate).
- path: "rancher/service-accounts/*"
capabilities:
- create
- read
- update
- delete
- list
- path: "rancher/service-accounts"
capabilities:
- read
- list
# Token-minting roles.
- path: "rancher/roles/*"
capabilities:
- create
- read
- update
- delete
- list
- path: "rancher/roles"
capabilities:
- read
- list
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault