feat: add credential broker token helper

2026-06-27 00:06:03 +02:00
parent 6e663dfd20
commit 752cfd6f00
9 changed files with 1292 additions and 10 deletions
--- a/openbao/policies/credential-broker-warden-sign-issuer.hcl
+++ b/openbao/policies/credential-broker-warden-sign-issuer.hcl
@@ -0,0 +1,23 @@
+# Narrow issuer policy for the credential broker warden-sign pilot.
+# This policy can create child tokens only through the warden-sign token role.
+# Bind it to a broker/operator issuer identity, not to tenant workloads.
+
+path "auth/token/create/warden-sign" {
+  capabilities = ["create", "update"]
+}
+
+path "auth/token/lookup-accessor" {
+  capabilities = ["update"]
+}
+
+path "auth/token/revoke-accessor" {
+  capabilities = ["update"]
+}
+
+path "auth/token/lookup-self" {
+  capabilities = ["read"]
+}
+
+path "sys/capabilities-self" {
+  capabilities = ["update"]
+}