# Narrow issuer policy for the credential broker warden-sign pilot. # This policy can create child tokens only through the warden-sign token role. # Bind it to a broker/operator issuer identity, not to tenant workloads. path "auth/token/create/warden-sign" { capabilities = ["create", "update"] } path "auth/token/lookup-accessor" { capabilities = ["update"] } path "auth/token/revoke-accessor" { capabilities = ["update"] } path "auth/token/lookup-self" { capabilities = ["read"] } path "sys/capabilities-self" { capabilities = ["update"] }