railiance-platform/openbao/policies/credential-broker-warden-sign-issuer.hcl

23 lines
No EOL
556 B
HCL

# Narrow issuer policy for the credential broker warden-sign pilot.
# This policy can create child tokens only through the warden-sign token role.
# Bind it to a broker/operator issuer identity, not to tenant workloads.
path "auth/token/create/warden-sign" {
capabilities = ["create", "update"]
}
path "auth/token/lookup-accessor" {
capabilities = ["update"]
}
path "auth/token/revoke-accessor" {
capabilities = ["update"]
}
path "auth/token/lookup-self" {
capabilities = ["read"]
}
path "sys/capabilities-self" {
capabilities = ["update"]
}