Add vault policy for nomad

2020-10-13 22:56:21 -04:00 · 2020-10-13 22:56:21 -04:00 · ab729b2c46
commit ab729b2c46
parent 1559206ae4
2 changed files with 38 additions and 0 deletions
--- a/vault/policies/nomad-server-policy.hcl
+++ b/vault/policies/nomad-server-policy.hcl
@ -0,0 +1,30 @@
+# Allow creating tokens under "nomad-cluster" role.
+path "auth/token/create/nomad-cluster" {
+  capabilities = ["update"]
+}
+
+# Allow looking up "nomad-cluster" role.
+path "auth/token/roles/nomad-cluster" {
+  capabilities = ["read"]
+}
+
+# Allow looking up incoming tokens to validate they have permissions to access
+# the tokens they are requesting.
+path "auth/token/lookup" {
+  capabilities = ["update"]
+}
+
+# Allow revoking tokens that should no longer exist.
+path "auth/token/revoke-accessor" {
+  capabilities = ["update"]
+}
+
+# Allow checking the capabilities of our own token.
+path "sys/capabilities-self" {
+  capabilities = ["update"]
+}
+
+# Allow our own token to be renewed.
+path "auth/token/renew-self" {
+  capabilities = ["update"]
+}
--- a/vault/roles/nomad-cluster-role.json
+++ b/vault/roles/nomad-cluster-role.json
@ -0,0 +1,8 @@
+{
+  "disallowed_policies": "nomad-server,root",
+  "token_explicit_max_ttl": 0,
+  "name": "nomad-cluster",
+  "orphan": true,
+  "token_period": 259200,
+  "renewable": true
+}