Luke Granger-Brown
7592e76a31
tokend is responsible for issuing service-scoped tokens based on the token held and generated by the Vault Agent. It can also generate "server-user" scoped tokens, which exist for convenience's sake: they are not a strong attestation of the user on the machine, and have limited privileges compared to a Vault token issued using e.g. `vault login -method=oidc`.
10 lines
424 B
HCL
10 lines
424 B
HCL
# This policy is granted to user accounts on servers - that is, "root", and anything in the users group.
|
|
# It allows for scoping things which shouldn't be in the Nix configuration, but are generally available to users on these machines.
|
|
|
|
# "Unauthenticated" users on servers can get nix-daemon kv.
|
|
path "kv/data/apps/nix-daemon" {
|
|
capabilities = ["read"]
|
|
}
|
|
path "kv/metadata/apps/nix-daemon" {
|
|
capabilities = ["read"]
|
|
}
|