From d0ed5f15ab84c33fd5f7f394e3db1b4b32f4b5bd Mon Sep 17 00:00:00 2001
From: hygienic-books <hygienic-books@tentic.net>
Date: Tue, 25 Apr 2023 02:21:47 +0200
Subject: [PATCH] feat(docs): Remco example user has its own kv location (#3)

---
 policies/remco/remco.hcl | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 policies/remco/remco.hcl

diff --git a/policies/remco/remco.hcl b/policies/remco/remco.hcl
new file mode 100644
index 0000000..9695ad6
--- /dev/null
+++ b/policies/remco/remco.hcl
@@ -0,0 +1,12 @@
+# Allow listing secret parent-child connections (as in UI hierarchy). Subdir
+# underneath 'kv' secrets engine will remain hidden though, user has to
+# manually open up
+# ${VAULT_ADDR}/ui/vault/secrets/kv/list/for_{{identity.groups.ids.GROUPID.name}}
+path "kv/metadata/for_{{identity.groups.ids.GROUPID.name}}/*" {
+    capabilities = ["list"]
+}
+
+# Grant read-only access to secrets
+path "kv/data/for_{{identity.groups.ids.GROUPID.name}}/*" {
+    capabilities = ["read"]
+}