Fix: override default restritive policy for identity admin.

Cleaned up admin policy.
Update .gitignore to include default_policy.hcl
2026-01-19 20:43:39 +01:00 · 2026-01-19 20:42:56 +01:00 · 2026-01-19 20:42:36 +01:00
3 changed files with 12 additions and 14 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
-config
-data
-log
+/config
+/data
+/log
 **/*.key
+default_policy.hcl
--- a/policies/admin_policy.hcl
+++ b/policies/admin_policy.hcl
@@ -32,14 +32,6 @@ path "sys/auth" {
  capabilities = ["read"]
 }

-# Enable and manage the key/value secrets engine at `secret/` path
-
-# List, create, update, and delete key/value secrets
-# path "secret/*"
-# {
-#   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-# }
-
 # Manage secrets engines
 path "sys/mounts/*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
--- a/policies/identity_admin_policy.hcl
+++ b/policies/identity_admin_policy.hcl
@@ -1,8 +1,13 @@
 # Add identity admin role to the token
 path "identity/*" {
-  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+  capabilities = ["create", "read", "update", "delete", "list"]
 }

-path "identity/entity/*/name" {
-  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+# Override default policies for identity management
+path "identity/entity/id/{{identity.entity.id}}" {
+  capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+path "identity/entity/name/{{identity.entity.name}}" {
+  capabilities = ["create", "read", "update", "delete", "list"]
 }
Author	SHA1	Message	Date
Slawomir Koszewski	30eaccb1a3	Fix: override default restritive policy for identity admin.	2026-01-19 20:43:39 +01:00
Slawomir Koszewski	6c5323025b	Cleaned up admin policy.	2026-01-19 20:42:56 +01:00
Slawomir Koszewski	5050963cd5	Update .gitignore to include default_policy.hcl	2026-01-19 20:42:36 +01:00