github.com/hernad/nomad@v1.6.112/e2e/terraform/etc/acls/vault/nomad-policy.hcl

github.com/hernad/nomad@v1.6.112/e2e/terraform/etc/acls/vault/nomad-policy.hcl (about)

     1  # Copyright (c) HashiCorp, Inc.
     2  # SPDX-License-Identifier: MPL-2.0
     3  
     4  # Allow creating tokens under "nomad-tasks" role. The role name should be
     5  # updated if "nomad-tasks" is not used.
     6  path "auth/token/create/nomad-tasks" {
     7    capabilities = ["update"]
     8  }
     9  
    10  # Allow looking up "nomad-tasks" role. The role name should be updated if
    11  # "nomad-tasks" is not used.
    12  path "auth/token/roles/nomad-tasks" {
    13    capabilities = ["read"]
    14  }
    15  
    16  # Allow looking up the token passed to Nomad to validate the token has the
    17  # proper capabilities. This is provided by the "default" policy.
    18  path "auth/token/lookup-self" {
    19    capabilities = ["read"]
    20  }
    21  
    22  # Allow looking up incoming tokens to validate they have permissions to access
    23  # the tokens they are requesting. This is only required if
    24  # `allow_unauthenticated` is set to false.
    25  path "auth/token/lookup" {
    26    capabilities = ["update"]
    27  }
    28  
    29  # Allow revoking tokens that should no longer exist. This allows revoking
    30  # tokens for dead tasks.
    31  path "auth/token/revoke-accessor" {
    32    capabilities = ["update"]
    33  }
    34  
    35  # Allow checking the capabilities of our own token. This is used to validate the
    36  # token upon startup.
    37  path "sys/capabilities-self" {
    38    capabilities = ["update"]
    39  }
    40  
    41  # Allow our own token to be renewed.
    42  path "auth/token/renew-self" {
    43    capabilities = ["update"]
    44  }