feat: only allow tenant admin to create tokens with its own policies
This commit is contained in:
parent
8ab67a2ed6
commit
39371c8503
@ -22,5 +22,5 @@ resource "vault_identity_entity" "tenant_admin" {
|
|||||||
|
|
||||||
resource "vault_policy" "tenant_admin" {
|
resource "vault_policy" "tenant_admin" {
|
||||||
name = "${var.tenant_name}-admin"
|
name = "${var.tenant_name}-admin"
|
||||||
policy = var.tenant_admin_policy_file == null ? templatefile("${path.module}/policies/tenant-admins.policy.hcl", { tenant_prefix = var.tenant_prefix }) : templatefile(var.tenant_admin_policy_file, { tenant_prefix = var.tenant_prefix })
|
policy = var.tenant_admin_policy_file == null ? templatefile("${path.module}/policies/tenant-admins.policy.hcl", { tenant_prefix = var.tenant_prefix, admin_policies = vault_approle_auth_backend_role.tenant_admin.token_policies }) : file(var.tenant_admin_policy_file)
|
||||||
}
|
}
|
||||||
|
@ -5,3 +5,10 @@ path "${tenant_prefix}/*" {
|
|||||||
path "sys/mounts/${tenant_prefix}/*" {
|
path "sys/mounts/${tenant_prefix}/*" {
|
||||||
capabilities = ["create", "update", "read", "delete", "list"]
|
capabilities = ["create", "update", "read", "delete", "list"]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
path "auth/token/create" {
|
||||||
|
capabilities = ["create", "update", "delete"]
|
||||||
|
allowed_parameters = {
|
||||||
|
"policies" = [${admin_policies}, ${reverse(admin_policies)}]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user