# Production metadata applier for reviewed credential changes. # # This policy intentionally permits only non-secret OpenBao metadata writes for # approved CCRs. Secret value paths under platform/data are not granted here. # The local credential-change applier-dry-run command must validate the CCR # before this policy is used for any live mutation. # Workload KV read-lane policies generated from approved CCRs. path "sys/policies/acl/workload-kv-read-*" { capabilities = ["create", "update", "read"] } # Credential broker issuer policies generated from approved grant metadata. path "sys/policies/acl/credential-broker-*-issuer" { capabilities = ["create", "update", "read"] } # OIDC roles for caller-scoped workload KV lanes. path "auth/netkingdom/role/*-workload-kv-read" { capabilities = ["create", "update", "read"] } # Kubernetes roles for in-cluster workload and provider-secret lanes. The local # applier dry-run constrains role names and bound service accounts per CCR. path "auth/kubernetes/role/*" { capabilities = ["create", "update", "read"] } # Token roles for approved credential-broker child-token issuers. path "auth/token/roles/credential-broker-*" { capabilities = ["create", "update", "read"] } # Self-checks and capability introspection only. path "auth/token/lookup-self" { capabilities = ["read"] } path "sys/capabilities-self" { capabilities = ["update"] }