38 lines
1022 B
HCL
38 lines
1022 B
HCL
# Vault policy for the veylant-proxy role (E10-03).
|
|
# Grants read-only access to all secrets under the veylant/ path.
|
|
#
|
|
# Apply to Vault:
|
|
# vault policy write veylant-proxy deploy/k8s/vault/vault-policy.hcl
|
|
#
|
|
# Then create the Kubernetes auth role:
|
|
# vault write auth/kubernetes/role/veylant-proxy \
|
|
# bound_service_account_names=veylant-proxy \
|
|
# bound_service_account_namespaces=veylant \
|
|
# policies=veylant-proxy \
|
|
# ttl=1h
|
|
|
|
# LLM provider API keys — read only.
|
|
path "secret/data/veylant/llm-keys" {
|
|
capabilities = ["read"]
|
|
}
|
|
|
|
# Cryptographic secrets (AES key for prompt encryption) — read only.
|
|
path "secret/data/veylant/crypto" {
|
|
capabilities = ["read"]
|
|
}
|
|
|
|
# Database connection URL — read only.
|
|
path "secret/data/veylant/database" {
|
|
capabilities = ["read"]
|
|
}
|
|
|
|
# Allow metadata reads (needed for dynamic lease renewal).
|
|
path "secret/metadata/veylant/*" {
|
|
capabilities = ["read", "list"]
|
|
}
|
|
|
|
# Deny all other paths explicitly (defense-in-depth).
|
|
path "*" {
|
|
capabilities = ["deny"]
|
|
}
|