Page MenuHomeDevCentral

D3031.id7737.diff
No OneTemporary

D3031.id7737.diff

diff --git a/pillar/credentials/vault.sls b/pillar/credentials/vault.sls
--- a/pillar/credentials/vault.sls
+++ b/pillar/credentials/vault.sls
@@ -49,6 +49,7 @@
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vault_policies:
+ - admin
- salt-primary
- sentry
- viperserv
diff --git a/roles/vault/policies/files/admin.hcl b/roles/vault/policies/files/admin.hcl
new file mode 100644
--- /dev/null
+++ b/roles/vault/policies/files/admin.hcl
@@ -0,0 +1,96 @@
+# -------------------------------------------------------------
+# Vault configuration - Policy for Nasqueron Ops SIG beings
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/vault/vault/files/admin.hcl
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+
+# -------------------------------------------------------------
+# Health check
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+path "sys/health" {
+ capabilities = ["read", "sudo"]
+}
+
+
+# -------------------------------------------------------------
+# Policies management
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+path "sys/policies/acl" {
+ capabilities = ["list"]
+}
+
+path "sys/policies/acl/*" {
+ capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# -------------------------------------------------------------
+# Authentication management
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+path "auth/*" {
+ capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+path "sys/auth/*" {
+ capabilities = ["create", "update", "delete", "sudo"]
+}
+
+path "sys/auth" {
+ capabilities = ["read"]
+}
+
+# -------------------------------------------------------------
+# Secrets management
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+path "sys/mounts" {
+ capabilities = ["read"]
+}
+
+path "sys/mounts/*" {
+ capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+path "apps/*" {
+ capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+path "ops/*" {
+ capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# -------------------------------------------------------------
+# PKI
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+path "pki_root/*" {
+ capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+path "pki_vault/*" {
+ capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+# -------------------------------------------------------------
+# Transit
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+path "transit/*" {
+ capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+path "transit/keys/*" {
+ capabilities = ["create", "read", "update", "delete", "list"]
+}

File Metadata

Mime Type
text/plain
Expires
Wed, Nov 27, 22:20 (21 h, 33 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2267828
Default Alt Text
D3031.id7737.diff (3 KB)

Event Timeline