From c559e62d3fc7164e120c0ad820aabaeee8c9fc35 Mon Sep 17 00:00:00 2001
From: hygienic-books <hygienic-books@tentic.net>
Date: Fri, 23 Sep 2022 22:34:51 +0200
Subject: [PATCH] feat(zabbix): Add policy for a Zabbix server to use dedicated
 credentials (#1)

---
 policies/role-zabbix/role-zabbix.hcl | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 policies/role-zabbix/role-zabbix.hcl

diff --git a/policies/role-zabbix/role-zabbix.hcl b/policies/role-zabbix/role-zabbix.hcl
new file mode 100644
index 0000000..9695ad6
--- /dev/null
+++ b/policies/role-zabbix/role-zabbix.hcl
@@ -0,0 +1,12 @@
+# Allow listing secret parent-child connections (as in UI hierarchy). Subdir
+# underneath 'kv' secrets engine will remain hidden though, user has to
+# manually open up
+# ${VAULT_ADDR}/ui/vault/secrets/kv/list/for_{{identity.groups.ids.GROUPID.name}}
+path "kv/metadata/for_{{identity.groups.ids.GROUPID.name}}/*" {
+    capabilities = ["list"]
+}
+
+# Grant read-only access to secrets
+path "kv/data/for_{{identity.groups.ids.GROUPID.name}}/*" {
+    capabilities = ["read"]
+}