Files
railiance-platform/openbao/policies/credential-change-prod-applier.hcl

42 lines
1.4 KiB
HCL

# Production metadata applier for reviewed credential changes.
#
# This policy intentionally permits only non-secret OpenBao metadata writes for
# approved CCRs. Secret value paths under platform/data are not granted here.
# The local credential-change applier-dry-run command must validate the CCR
# before this policy is used for any live mutation.
# Workload KV read-lane policies generated from approved CCRs.
path "sys/policies/acl/workload-kv-read-*" {
capabilities = ["create", "update", "read"]
}
# Credential broker issuer policies generated from approved grant metadata.
path "sys/policies/acl/credential-broker-*-issuer" {
capabilities = ["create", "update", "read"]
}
# OIDC roles for caller-scoped workload KV lanes.
path "auth/netkingdom/role/*-workload-kv-read" {
capabilities = ["create", "update", "read"]
}
# Kubernetes roles for in-cluster workload and provider-secret lanes. The local
# applier dry-run constrains role names and bound service accounts per CCR.
path "auth/kubernetes/role/*" {
capabilities = ["create", "update", "read"]
}
# Token roles for approved credential-broker child-token issuers.
path "auth/token/roles/credential-broker-*" {
capabilities = ["create", "update", "read"]
}
# Self-checks and capability introspection only.
path "auth/token/lookup-self" {
capabilities = ["read"]
}
path "sys/capabilities-self" {
capabilities = ["update"]
}