fix(docs): Assign policy to token, grant it access

README.md

@@ -214,7 +214,7 @@ Log in to Vault with `userpass` and an account that has `write` access to `auth/
 ```
 curl --silent --location --header 'X-Vault-Token: <token>' \
     --request POST \
-    --data '{"ttl":"768h","renewable":true,"display_name":"remco populates config files with secrets"}' \
+    --data '{"policies":["remco"],"renewable":true,"ttl":"768h","display_name":"remco populates config files with secrets"}' \
     'https://f.q.d.n/v1/auth/token/create-orphan'
 ```
 

policies/remco/remco.hcl

@@ -1,12 +1,22 @@
 # Allow listing secret parent-child connections (as in UI hierarchy). Subdir
 # underneath 'kv' secrets engine will remain hidden though, user has to
 # manually open up
-# ${VAULT_ADDR}/ui/vault/secrets/kv/list/for_{{identity.groups.ids.GROUPID.name}}
+# ${VAULT_ADDR}/ui/vault/secrets/kv/list/for_{{identity.groups.ids.83754fb4-ee24-fa6a-52dd-50ef8f1d6665.name}}
-path "kv/metadata/for_{{identity.groups.ids.GROUPID.name}}/*" {
+path "kv/metadata/for_{{identity.groups.ids.83754fb4-ee24-fa6a-52dd-50ef8f1d6665.name}}/*" {
+    capabilities = ["list"]
+}
+
+# Same but without ID, this allows an orphan token (i.e. that has no parent "entity_id") to also access this
+path "kv/metadata/for_rbacgroup_remco/*" {
     capabilities = ["list"]
 }
 
 # Grant read-only access to secrets
-path "kv/data/for_{{identity.groups.ids.GROUPID.name}}/*" {
+path "kv/data/for_{{identity.groups.ids.83754fb4-ee24-fa6a-52dd-50ef8f1d6665.name}}/*" {
+    capabilities = ["read"]
+}
+
+# Same but without ID, this allows an orphan token (i.e. that has no parent "entity_id") to also access this
+path "kv/data/for_rbacgroup_remco/*" {
     capabilities = ["read"]
 }