railiance-platform/openbao/policies/platform-admin.hcl
tegwick 7d7260ffa3
All checks were successful
CI Smoke / host-smoke (push) Successful in 0s
CI Smoke / container-smoke (push) Successful in 2s
openbao: grant platform-admin access to tenants/ mount
WARDEN-WP-0028 added mount tenants/ for client secrets; platform-admin
only covered platform/* and secret/*, so UI operators could not see
binky paths. Add tenants/* CRUD+list.
2026-07-17 00:31:09 +02:00

47 lines
1.2 KiB
HCL

# Full platform-operator policy for the initial OpenBao bootstrap phase.
#
# Use only for trusted S3 platform operators. This is intentionally broad so
# the root token can be retired after bootstrap. Prefer narrower workload
# policies for application access.
path "sys/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "auth/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "identity/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "platform/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "database/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "pki/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "ssh/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "cubbyhole/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "secret/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
# Client/tenant commercial secrets (WARDEN-WP-0028). Separate mount from
# platform/workloads so tenant lanes are not mixed with fleet service secrets.
path "tenants/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}