a400e5dc7e
ci/woodpecker/push/apply Pipeline was successful
## Why Applying the newly-merged litellm mount (#83) failed at apply time with: ``` Error: failed to write litellm config URL: PUT https://vault.service.consul:8200/v1/litellm/config Code: 403. * permission denied ``` The deployer identity (`tf_vault` approle / `woodpecker_terraform_vault` k8s role) can enable the mount via `sys/mounts/admin`, but no policy grants it access to the engine's own data paths, so writing the config and roles is denied. ## Changes - Add `policies/litellm/admin.yaml` granting `create`/`read`/`update`/`delete` on `litellm/config` and `litellm/roles/*` (plus `read`/`list` on `litellm/roles`), assigned to the same auth roles as the other secret-engine admin policies (`tf_vault`, `woodpecker_terraform_vault`). ## Note The policy attaches to the deployer's auth roles, so it takes effect on the next token issuance — a re-run of the apply (fresh Vault login) will have the permission and can write `litellm/config` and the roles. Reviewed-on: #84 Co-authored-by: Ben Vincent <ben@unkin.net> Co-committed-by: Ben Vincent <ben@unkin.net>
27 lines
450 B
YAML
27 lines
450 B
YAML
# Allow management of the LiteLLM secrets engine (config and roles)
|
|
---
|
|
rules:
|
|
- path: "litellm/config"
|
|
capabilities:
|
|
- create
|
|
- update
|
|
- read
|
|
- delete
|
|
- path: "litellm/roles/*"
|
|
capabilities:
|
|
- create
|
|
- update
|
|
- delete
|
|
- read
|
|
- list
|
|
- path: "litellm/roles"
|
|
capabilities:
|
|
- read
|
|
- list
|
|
|
|
auth:
|
|
approle:
|
|
- tf_vault
|
|
k8s/au/syd1:
|
|
- woodpecker_terraform_vault
|