docs(config): Get started on config management

README.md

@@ -94,6 +94,12 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va
         ```
         Entity IDs are coming from `vault list identity/entity/id` and/or `vault read identity/entity/name/<name>`.
 
+* Optionally [policies/role-cfgmgmt/cfgmgmt.hcl](policies/role-cfgmgmt/cfgmgmt.hcl) gets you started with read-only secrets access for example for a config management tool like Ansible.
+
+    You'll want to create an Ansible entity with an alias, create both a `token` and a `userpass` alias and use the latter one to authenticate against Vault to retrieve a token. You'll likely want a distinct group where your Ansible entity becomes a member and which uses a policy such as the example at [policies/role-cfgmgmt/cfgmgmt.hcl](policies/role-cfgmgmt/cfgmgmt.hcl).
+
+    From here on out just more of what you already did so feel free to make this fit your own approach.
+
 ## Clean-up
 
 If during any of the above steps you've used the Vault command-line client to authenticate against Vault with your `root` token make sure that client's `~/.vault-token` file is deleted. It contains the verbatim `root` token.

policies/role-cfgmgmt/cfgmgmt.hcl

@@ -0,0 +1,4 @@
+# Grant read-only access to secrets
+path "kv/data/name/domain/qualified/fully/os/root/creds" {
+    capabilities = ["read"]
+}