# Template for a namespace/service-account-specific workload KV policy.
#
# Copy this file for a real workload and replace:
#   <namespace>       Kubernetes namespace, e.g. artifact-store
#   <service-account> Kubernetes service account, e.g. artifact-store
#
# The matching Kubernetes auth role should bind the same namespace and service
# account and attach the copied policy.

path "platform/data/workloads/<namespace>/<service-account>/*" {
  capabilities = ["read"]
}

path "platform/metadata/workloads/<namespace>/<service-account>/*" {
  capabilities = ["read", "list"]
}