depot/ops/vault/cfg/policies/user.hcl

# Allow everyone to manage things under kv/users/<user>
path "kv/data/user/{{identity.entity.name}}/*" {
  capabilities = ["create", "update", "read", "delete"]
}

path "kv/metadata/user/{{identity.entity.name}}/*" {
  capabilities = ["list"]
}
path "kv/metadata/user" {
  capabilities = ["list"]
}

path "kv/metadata/+" {
  capabilities = ["list"]
}

# Users can manage things under kv/server/<name> too.
path "kv/data/server/*" {
  capabilities = ["create", "update", "read", "delete"]
}

path "kv/metadata/server/*" {
  capabilities = ["list"]
}

# Users can get SSH keys signed.
path "ssh-client/sign/user" {
  capabilities = ["update"]
}
ops/vault/cfg: initial configuration 2022-03-14 23:34:33 +00:00			`# Allow everyone to manage things under kv/users/<user>`
			`path "kv/data/user/{{identity.entity.name}}/*" {`
			`capabilities = ["create", "update", "read", "delete"]`
			`}`

			`path "kv/metadata/user/{{identity.entity.name}}/*" {`
			`capabilities = ["list"]`
			`}`
			`path "kv/metadata/user" {`
			`capabilities = ["list"]`
			`}`

			`path "kv/metadata/+" {`
			`capabilities = ["list"]`
			`}`

			`# Users can manage things under kv/server/<name> too.`
			`path "kv/data/server/*" {`
			`capabilities = ["create", "update", "read", "delete"]`
			`}`

			`path "kv/metadata/server/*" {`
			`capabilities = ["list"]`
			`}`

			`# Users can get SSH keys signed.`
			`path "ssh-client/sign/user" {`
			`capabilities = ["update"]`
			`}`