I want to be able to create a policy that will allow to create kubernetes auth role and allow adding only a policy named kuberneted/default. I am using policy template as follows:
path "auth/kubernetes/role/{{identity.entity.aliases.auth_jwt_lll.metadata.project_id}}" {
capabilities = ["read","delete", "list", "patch", "update","create"]
allowed_parameters = {
policies = ["kubernetes/default"]
bound_service_account_names = []
bound_service_account_namespaces = []
ttl = []
}
}
This is saved, so I do not thing there is a syntax issue, and also, I found this is working when I remove “kubernetes/default”.
Anywyas, I get the error:
File "/usr/local/lib/python3.11/site-packages/hvac/adapters.py", line 294, in _raise_for_error utils.raise_for_error( File "/usr/local/lib/python3.11/site-packages/hvac/utils.py", line 41, in raise_for_error raise exceptions.VaultError.from_status( hvac.exceptions.Forbidden: 1 error occurred: * permission denied , on post https://my.local:443/v1/auth/kubernetes/role/2751
The auth token who holds this policy authenticated using Gitlab-ci ID Token which was jwt generated by Gitlab and it is configured with OIDC/jwt integration in vault. Although i do not believe this is the issue.