Declarative roles, warden-sign policy, apply/verify scripts, and Makefile targets openbao-configure-ssh and openbao-verify-ssh. Document operator flow in docs/openbao.md for NET-WP-0020 T5 / WP-0008 T2.
18 lines
No EOL
414 B
HCL
18 lines
No EOL
414 B
HCL
# Narrow policy for ops-warden SSH signing (Vault/OpenBao SSH secrets engine).
|
|
# Bind to dedicated tokens or Kubernetes auth roles — not platform-admin.
|
|
|
|
path "ssh/sign/adm-role" {
|
|
capabilities = ["create", "update"]
|
|
}
|
|
|
|
path "ssh/sign/agt-role" {
|
|
capabilities = ["create", "update"]
|
|
}
|
|
|
|
path "ssh/sign/atm-role" {
|
|
capabilities = ["create", "update"]
|
|
}
|
|
|
|
path "ssh/roles" {
|
|
capabilities = ["list", "read"]
|
|
} |