vault: add OpenBao OIDC integration with Kanidm

2026-02-09 19:20:13 +01:00
parent 2f5a2a4bf1
commit d7f6603620
5 changed files with 127 additions and 0 deletions
--- a/terraform/vault/policies.tf
+++ b/terraform/vault/policies.tf
@@ -8,3 +8,50 @@ path "sys/metrics" {
 }
 EOT
 }
+
+# OIDC admin policy - full read/write to all secrets
+resource "vault_policy" "oidc_admin" {
+  name = "oidc-admin"
+
+  policy = <<EOT
+# Full access to KV secrets
+path "secret/*" {
+  capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+# Read system health and metrics
+path "sys/health" {
+  capabilities = ["read"]
+}
+
+path "sys/metrics" {
+  capabilities = ["read"]
+}
+
+# List auth methods and mounts
+path "sys/auth" {
+  capabilities = ["read"]
+}
+
+path "sys/mounts" {
+  capabilities = ["read"]
+}
+EOT
+}
+
+# OIDC default policy - minimal access for authenticated users
+resource "vault_policy" "oidc_default" {
+  name = "oidc-default"
+
+  policy = <<EOT
+# Read own token info
+path "auth/token/lookup-self" {
+  capabilities = ["read"]
+}
+
+# Read system health
+path "sys/health" {
+  capabilities = ["read"]
+}
+EOT
+}