Add vault policy for nomad
This commit is contained in:
parent
1559206ae4
commit
ab729b2c46
2 changed files with 38 additions and 0 deletions
30
vault/policies/nomad-server-policy.hcl
Normal file
30
vault/policies/nomad-server-policy.hcl
Normal file
|
@ -0,0 +1,30 @@
|
|||
# Allow creating tokens under "nomad-cluster" role.
|
||||
path "auth/token/create/nomad-cluster" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
||||
# Allow looking up "nomad-cluster" role.
|
||||
path "auth/token/roles/nomad-cluster" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
||||
# Allow looking up incoming tokens to validate they have permissions to access
|
||||
# the tokens they are requesting.
|
||||
path "auth/token/lookup" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
||||
# Allow revoking tokens that should no longer exist.
|
||||
path "auth/token/revoke-accessor" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
||||
# Allow checking the capabilities of our own token.
|
||||
path "sys/capabilities-self" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
||||
# Allow our own token to be renewed.
|
||||
path "auth/token/renew-self" {
|
||||
capabilities = ["update"]
|
||||
}
|
8
vault/roles/nomad-cluster-role.json
Normal file
8
vault/roles/nomad-cluster-role.json
Normal file
|
@ -0,0 +1,8 @@
|
|||
{
|
||||
"disallowed_policies": "nomad-server,root",
|
||||
"token_explicit_max_ttl": 0,
|
||||
"name": "nomad-cluster",
|
||||
"orphan": true,
|
||||
"token_period": 259200,
|
||||
"renewable": true
|
||||
}
|
Loading…
Reference in a new issue