Platform secret setup
This commit is contained in:
41
openbao/policies/platform-admin.hcl
Normal file
41
openbao/policies/platform-admin.hcl
Normal file
@@ -0,0 +1,41 @@
|
||||
# Full platform-operator policy for the initial OpenBao bootstrap phase.
|
||||
#
|
||||
# Use only for trusted S3 platform operators. This is intentionally broad so
|
||||
# the root token can be retired after bootstrap. Prefer narrower workload
|
||||
# policies for application access.
|
||||
|
||||
path "sys/*" {
|
||||
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
||||
}
|
||||
|
||||
path "auth/*" {
|
||||
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
||||
}
|
||||
|
||||
path "identity/*" {
|
||||
capabilities = ["create", "read", "update", "delete", "list"]
|
||||
}
|
||||
|
||||
path "platform/*" {
|
||||
capabilities = ["create", "read", "update", "delete", "list"]
|
||||
}
|
||||
|
||||
path "database/*" {
|
||||
capabilities = ["create", "read", "update", "delete", "list"]
|
||||
}
|
||||
|
||||
path "pki/*" {
|
||||
capabilities = ["create", "read", "update", "delete", "list"]
|
||||
}
|
||||
|
||||
path "ssh/*" {
|
||||
capabilities = ["create", "read", "update", "delete", "list"]
|
||||
}
|
||||
|
||||
path "cubbyhole/*" {
|
||||
capabilities = ["create", "read", "update", "delete", "list"]
|
||||
}
|
||||
|
||||
path "secret/*" {
|
||||
capabilities = ["create", "read", "update", "delete", "list"]
|
||||
}
|
||||
28
openbao/policies/platform-readonly.hcl
Normal file
28
openbao/policies/platform-readonly.hcl
Normal file
@@ -0,0 +1,28 @@
|
||||
# Read-only platform inspection policy.
|
||||
#
|
||||
# Useful for status dashboards and audit/review sessions that need visibility
|
||||
# into mounts and platform metadata without secret material mutation.
|
||||
|
||||
path "sys/health" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
||||
path "sys/mounts" {
|
||||
capabilities = ["read", "list"]
|
||||
}
|
||||
|
||||
path "sys/auth" {
|
||||
capabilities = ["read", "list"]
|
||||
}
|
||||
|
||||
path "sys/policies/acl" {
|
||||
capabilities = ["read", "list"]
|
||||
}
|
||||
|
||||
path "auth/token/lookup-self" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
||||
path "platform/metadata/*" {
|
||||
capabilities = ["read", "list"]
|
||||
}
|
||||
16
openbao/policies/workload-kv-read-template.hcl
Normal file
16
openbao/policies/workload-kv-read-template.hcl
Normal file
@@ -0,0 +1,16 @@
|
||||
# Template for a namespace/service-account-specific workload KV policy.
|
||||
#
|
||||
# Copy this file for a real workload and replace:
|
||||
# <namespace> Kubernetes namespace, e.g. artifact-store
|
||||
# <service-account> Kubernetes service account, e.g. artifact-store
|
||||
#
|
||||
# The matching Kubernetes auth role should bind the same namespace and service
|
||||
# account and attach the copied policy.
|
||||
|
||||
path "platform/data/workloads/<namespace>/<service-account>/*" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
||||
path "platform/metadata/workloads/<namespace>/<service-account>/*" {
|
||||
capabilities = ["read", "list"]
|
||||
}
|
||||
Reference in New Issue
Block a user