lukegb/depot
1
0
Fork 0
Code Issues 1 Pull requests Projects Packages Activity Actions

ops/vault: move policies to token_policies

Browse source 
I want to be able to rescope these policies down in tokend, which means that I
can't have policies attached to the server's *identity*. Instead, we put these
on the approle instead, which allows us to down-scope all of these.
This commit is contained in:
Luke Granger-Brown 2022-03-20 11:29:10 +00:00
parent 58a907b700
commit 08b68745f0
1 changed files with 4 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
ops/vault/cfg/servers.nix
View file

@ -83,14 +83,14 @@ in {
secret_id_num_uses = 0;
token_ttl = minutes 20;
token_max_ttl = minutes 30;
token_policies =
["default" "server" "\${vault_policy.${serverCfg.resourceName}.name}"]
++ serverCfg.extraPolicies
++ (map (name: "\${vault_policy.app_${name}.name}") serverCfg.apps);
};
vault_identity_entity.${serverCfg.resourceName} = {
name = serverName;
policies =
["default" "server" "\${vault_policy.${serverCfg.resourceName}.name}"]
++ serverCfg.extraPolicies
++ (map (name: "\${vault_policy.app_${name}.name}") serverCfg.apps);
metadata.server = serverName;
};