railiance-platform/openbao/policies/warden-sign.hcl
tegwick c24956fb5a feat(openbao): add SSH engine automation for ops-warden signing
Declarative roles, warden-sign policy, apply/verify scripts, and Makefile
targets openbao-configure-ssh and openbao-verify-ssh. Document operator flow
in docs/openbao.md for NET-WP-0020 T5 / WP-0008 T2.
2026-06-18 01:06:43 +02:00

18 lines
No EOL
414 B
HCL

# Narrow policy for ops-warden SSH signing (Vault/OpenBao SSH secrets engine).
# Bind to dedicated tokens or Kubernetes auth roles — not platform-admin.
path "ssh/sign/adm-role" {
capabilities = ["create", "update"]
}
path "ssh/sign/agt-role" {
capabilities = ["create", "update"]
}
path "ssh/sign/atm-role" {
capabilities = ["create", "update"]
}
path "ssh/roles" {
capabilities = ["list", "read"]
}