Platform secret setup

This commit is contained in:
2026-05-23 13:59:58 +02:00
parent f0061d5020
commit a7ffeb8b46
8 changed files with 493 additions and 4 deletions

View File

@@ -0,0 +1,41 @@
# Full platform-operator policy for the initial OpenBao bootstrap phase.
#
# Use only for trusted S3 platform operators. This is intentionally broad so
# the root token can be retired after bootstrap. Prefer narrower workload
# policies for application access.
path "sys/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "auth/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "identity/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "platform/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "database/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "pki/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "ssh/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "cubbyhole/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "secret/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}