lukegb/depot
1
0
Fork 0
Code Issues 1 Pull requests Projects Packages Activity Actions

ops/vault: allow servers to read their own wireguard keys

Browse source
This commit is contained in:
Luke Granger-Brown 2023-01-15 19:23:53 +00:00
parent f053953bb6
commit 8731a6a37f
1 changed files with 8 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
ops/vault/cfg/policies/server.hcl
View file

@ -10,6 +10,14 @@ path "kv/metadata/server" {
capabilities = ["list"] capabilities = ["list"]
} }
# Can read secrets for their own Wireguard keys.
path "kv/data/apps/wireguard/{{identity.entity.name}}" {
capabilities = ["read"]
}
path "kv/metadata/apps/wireguard/{{identity.entity.name}}" {
capabilities = ["read"]
}
path "kv/metadata/+" { path "kv/metadata/+" {
capabilities = ["list"] capabilities = ["list"]
} }