18 lines
414 B
HCL
18 lines
414 B
HCL
|
|
# Narrow policy for ops-warden SSH signing (Vault/OpenBao SSH secrets engine).
|
||
|
|
# Bind to dedicated tokens or Kubernetes auth roles — not platform-admin.
|
||
|
|
|
||
|
|
path "ssh/sign/adm-role" {
|
||
|
|
capabilities = ["create", "update"]
|
||
|
|
}
|
||
|
|
|
||
|
|
path "ssh/sign/agt-role" {
|
||
|
|
capabilities = ["create", "update"]
|
||
|
|
}
|
||
|
|
|
||
|
|
path "ssh/sign/atm-role" {
|
||
|
|
capabilities = ["create", "update"]
|
||
|
|
}
|
||
|
|
|
||
|
|
path "ssh/roles" {
|
||
|
|
capabilities = ["list", "read"]
|
||
|
|
}
|