2022-07-26 20:09:52 -07:00
|
|
|
resource "vault_policy" "admin" {
|
|
|
|
name = "admin"
|
|
|
|
|
|
|
|
policy = <<EOF
|
|
|
|
path "*" {
|
|
|
|
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
|
|
|
}
|
|
|
|
EOF
|
|
|
|
}
|
2022-07-27 13:13:11 -07:00
|
|
|
|
|
|
|
resource "vault_policy" "nomad-deploy" {
|
|
|
|
name = "nomad-deploy"
|
|
|
|
policy = <<EOH
|
|
|
|
path "nomad/creds/nomad-deploy" {
|
|
|
|
capabilities = ["read"]
|
|
|
|
}
|
|
|
|
EOH
|
|
|
|
}
|
|
|
|
|
|
|
|
# Policy for clusters
|
|
|
|
resource "vault_policy" "nomad-task" {
|
|
|
|
name = "nomad-task"
|
|
|
|
policy = <<EOH
|
|
|
|
path "kv/data/*" {
|
|
|
|
# Does this need create, update, delete?
|
|
|
|
capabilities = ["create", "read", "update", "delete", "list"]
|
|
|
|
}
|
|
|
|
EOH
|
|
|
|
}
|
|
|
|
|
|
|
|
# Policy for nomad tokens
|
|
|
|
resource "vault_policy" "nomad-server" {
|
|
|
|
name = "nomad-server"
|
|
|
|
policy = <<EOH
|
|
|
|
# Allow creating tokens under "nomad-cluster" token role. The token role name
|
|
|
|
# should be updated if "nomad-cluster" is not used.
|
|
|
|
path "auth/token/create/nomad-cluster" {
|
|
|
|
capabilities = ["update"]
|
|
|
|
}
|
|
|
|
|
|
|
|
# Allow looking up "nomad-cluster" token role. The token role name should be
|
|
|
|
# updated if "nomad-cluster" is not used.
|
|
|
|
path "auth/token/roles/nomad-cluster" {
|
|
|
|
capabilities = ["read"]
|
|
|
|
}
|
|
|
|
|
|
|
|
# Allow looking up the token passed to Nomad to validate # the token has the
|
|
|
|
# proper capabilities. This is provided by the "default" policy.
|
|
|
|
path "auth/token/lookup-self" {
|
|
|
|
capabilities = ["read"]
|
|
|
|
}
|
|
|
|
|
|
|
|
# Allow looking up incoming tokens to validate they have permissions to access
|
|
|
|
# the tokens they are requesting. This is only required if
|
|
|
|
# `allow_unauthenticated` is set to false.
|
|
|
|
path "auth/token/lookup" {
|
|
|
|
capabilities = ["update"]
|
|
|
|
}
|
|
|
|
|
|
|
|
# Allow revoking tokens that should no longer exist. This allows revoking
|
|
|
|
# tokens for dead tasks.
|
|
|
|
path "auth/token/revoke-accessor" {
|
|
|
|
capabilities = ["update"]
|
|
|
|
}
|
|
|
|
|
|
|
|
# Allow checking the capabilities of our own token. This is used to validate the
|
|
|
|
# token upon startup.
|
|
|
|
path "sys/capabilities-self" {
|
|
|
|
capabilities = ["update"]
|
|
|
|
}
|
|
|
|
|
|
|
|
# Allow our own token to be renewed.
|
|
|
|
path "auth/token/renew-self" {
|
|
|
|
capabilities = ["update"]
|
|
|
|
}
|
|
|
|
|
|
|
|
# This section grants all access on "secret/*". Further restrictions can be
|
|
|
|
# applied to this broad policy, as shown below.
|
|
|
|
path "kv/data/*" {
|
|
|
|
capabilities = ["create", "read", "update", "delete", "list"]
|
|
|
|
}
|
|
|
|
EOH
|
|
|
|
}
|