feat: allow tenant admin to create child token with its own permissions
This commit is contained in:
parent
c1ea5253d5
commit
604a02683c
@ -22,5 +22,5 @@ resource "vault_identity_entity" "tenant_admin" {
|
||||
|
||||
resource "vault_policy" "tenant_admin" {
|
||||
name = "${var.tenant_name}-admin"
|
||||
policy = var.tenant_admin_policy_file == null ? file("${path.module}/policies/tenant-admins.policy.hcl") : file(var.tenant_admin_policy_file)
|
||||
policy = var.tenant_admin_policy_file == null ? templatefile("${path.module}/policies/tenant-admins.policy.hcl", { tenant_name = var.tenant_name }) : templatefile(var.tenant_admin_policy_file, { tenant_name = var.tenant_name })
|
||||
}
|
||||
|
@ -5,3 +5,10 @@ path "{{identity.entity.metadata.prefix}}/*" {
|
||||
path "sys/mounts/{{identity.entity.metadata.prefix}}/*" {
|
||||
capabilities = ["create", "update", "read", "delete", "list"]
|
||||
}
|
||||
|
||||
path "auth/token/create" {
|
||||
capabilities = ["create", "update", "delete"]
|
||||
allowed_parameters = {
|
||||
policies = ["${tenant_name}-admin"]
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user