Add vault policy for nomad
This commit is contained in:
parent
1559206ae4
commit
ab729b2c46
2 changed files with 38 additions and 0 deletions
30
vault/policies/nomad-server-policy.hcl
Normal file
30
vault/policies/nomad-server-policy.hcl
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
# Allow creating tokens under "nomad-cluster" role.
|
||||||
|
path "auth/token/create/nomad-cluster" {
|
||||||
|
capabilities = ["update"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow looking up "nomad-cluster" role.
|
||||||
|
path "auth/token/roles/nomad-cluster" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow looking up incoming tokens to validate they have permissions to access
|
||||||
|
# the tokens they are requesting.
|
||||||
|
path "auth/token/lookup" {
|
||||||
|
capabilities = ["update"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow revoking tokens that should no longer exist.
|
||||||
|
path "auth/token/revoke-accessor" {
|
||||||
|
capabilities = ["update"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow checking the capabilities of our own token.
|
||||||
|
path "sys/capabilities-self" {
|
||||||
|
capabilities = ["update"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow our own token to be renewed.
|
||||||
|
path "auth/token/renew-self" {
|
||||||
|
capabilities = ["update"]
|
||||||
|
}
|
8
vault/roles/nomad-cluster-role.json
Normal file
8
vault/roles/nomad-cluster-role.json
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
{
|
||||||
|
"disallowed_policies": "nomad-server,root",
|
||||||
|
"token_explicit_max_ttl": 0,
|
||||||
|
"name": "nomad-cluster",
|
||||||
|
"orphan": true,
|
||||||
|
"token_period": 259200,
|
||||||
|
"renewable": true
|
||||||
|
}
|
Loading…
Reference in a new issue