From 8731a6a37f3eb798504c2f9d810d07c07b17ccc1 Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <hg@lukegb.com>
Date: Sun, 15 Jan 2023 19:23:53 +0000
Subject: [PATCH] ops/vault: allow servers to read their own wireguard keys

---
 ops/vault/cfg/policies/server.hcl | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/ops/vault/cfg/policies/server.hcl b/ops/vault/cfg/policies/server.hcl
index dfaca4b6e2..d10913954a 100644
--- a/ops/vault/cfg/policies/server.hcl
+++ b/ops/vault/cfg/policies/server.hcl
@@ -10,6 +10,14 @@ path "kv/metadata/server" {
   capabilities = ["list"]
 }
 
+# Can read secrets for their own Wireguard keys.
+path "kv/data/apps/wireguard/{{identity.entity.name}}" {
+  capabilities = ["read"]
+}
+path "kv/metadata/apps/wireguard/{{identity.entity.name}}" {
+  capabilities = ["read"]
+}
+
 path "kv/metadata/+" {
   capabilities = ["list"]
 }