Vault App Role Config
Gw Service App Role Setup
ts-gw-srvc
Local App Role Setup
Environment: local
Local GW Service Read Policy:
Run Windows PowerShell as Administrator and run the following commands to create a policy that allows reading logs from the local gw service:
Move away from C:\Windows\system32>
d:$env:VAULT_ADDR = "https://dev.vault.aspireclan.com"
$env:VAULT_TOKEN = "<vault token>"@"
path "tidyshelves/data/shared/grafana" {
capabilities = ["read"]
}
path "tidyshelves/metadata/shared/grafana" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/local/shared/aws/user-pool" {
capabilities = ["read"]
}
path "tidyshelves/metadata/local/shared/aws/user-pool" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/local/gw/db-creds" {
capabilities = ["read"]
}
path "tidyshelves/metadata/local/gw/db-creds" {
capabilities = ["read", "list"]
}
"@ | Out-File -FilePath "ts-gw-local-read-policy.hcl" -Encoding asciivault policy write ts-gw-local-read-policy ts-gw-local-read-policy.hclLocal GW Service App Role:
vault write auth/approle/role/ts-gw-local-app-role `
token_policies="ts-gw-local-read-policy" `
token_ttl="1h" `
token_max_ttl="4h"If you make any changes to the policy:
No need to re-create the AppRole––it already references ts-gw-read-policy.
It will automatically pick up the new paths on next token request.
Check Local GW Service Read Policy and App Role:
vault policy listvault policy read ts-log-local-read-policyvault list auth/approle/rolevault read auth/approle/role/ts-gw-local-app-roleDev App Role Setup
Environment: dev
Dev GW Service Read Policy:
Run Windows PowerShell as Administrator and run the following commands to create a policy that allows reading logs from the dev gw service:
Move away from C:\Windows\system32>
d:$env:VAULT_ADDR = "https://dev.vault.aspireclan.com"
$env:VAULT_TOKEN = "<vault token>"@"
path "tidyshelves/data/shared/grafana" {
capabilities = ["read"]
}
path "tidyshelves/metadata/shared/grafana" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/dev/shared/aws/user-pool" {
capabilities = ["read"]
}
path "tidyshelves/metadata/dev/shared/aws/user-pool" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/dev/gw/db-creds" {
capabilities = ["read"]
}
path "tidyshelves/metadata/dev/gw/db-creds" {
capabilities = ["read", "list"]
}
"@ | Out-File -FilePath "ts-gw-dev-read-policy.hcl" -Encoding asciivault policy write ts-gw-dev-read-policy ts-gw-dev-read-policy.hclDev GW Service App Role:
vault write auth/approle/role/ts-gw-dev-app-role `
token_policies="ts-gw-dev-read-policy" `
token_ttl="1h" `
token_max_ttl="4h"If you make any changes to the policy:
No need to re-create the AppRole––it already references ts-gw-read-policy.
It will automatically pick up the new paths on next token request.
Check Dev GW Service Read Policy and App Role:
vault policy listvault policy read ts-gw-dev-read-policyvault list auth/approle/rolevault read auth/approle/role/ts-gw-dev-app-roleQA App Role Setup
Environment: qa
QA GW Service Read Policy:
Run Windows PowerShell as Administrator and run the following commands to create a policy that allows reading logs from the qa gw service:
Move away from C:\Windows\system32>
d:$env:VAULT_ADDR = "https://dev.vault.aspireclan.com"
$env:VAULT_TOKEN = "<vault token>"@"
path "tidyshelves/data/shared/grafana" {
capabilities = ["read"]
}
path "tidyshelves/metadata/shared/grafana" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/qa/gw/db-creds" {
capabilities = ["read"]
}
path "tidyshelves/metadata/qa/gw/db-creds" {
capabilities = ["read", "list"]
}
"@ | Out-File -FilePath "ts-gw-qa-read-policy.hcl" -Encoding asciivault policy write ts-gw-qa-read-policy ts-gw-qa-read-policy.hclQA GW Service App Role:
vault write auth/approle/role/ts-gw-qa-app-role `
token_policies="ts-gw-qa-read-policy" `
token_ttl="1h" `
token_max_ttl="4h"If you make any changes to the policy:
No need to re-create the AppRole––it already references ts-gw-read-policy.
It will automatically pick up the new paths on next token request.
Check QA GW Service Read Policy and App Role:
vault policy listvault policy read ts-gw-qa-read-policyvault list auth/approle/rolevault read auth/approle/role/ts-gw-qa-app-rolePROD App Role Setup
Environment: prod
PROD GW Service Read Policy:
Run Windows PowerShell as Administrator and run the following commands to create a policy that allows reading logs from the prod gw service:
Move away from C:\Windows\system32>
d:$env:VAULT_ADDR = "https://dev.vault.aspireclan.com"
$env:VAULT_TOKEN = "<vault token>"@"
path "tidyshelves/data/shared/grafana" {
capabilities = ["read"]
}
path "tidyshelves/metadata/shared/grafana" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/prod/gw/db-creds" {
capabilities = ["read"]
}
path "tidyshelves/metadata/prod/gw/db-creds" {
capabilities = ["read", "list"]
}
"@ | Out-File -FilePath "ts-gw-prod-read-policy.hcl" -Encoding asciivault policy write ts-gw-prod-read-policy ts-gw-prod-read-policy.hclPROD GW Service App Role:
vault write auth/approle/role/ts-gw-prod-app-role `
token_policies="ts-gw-prod-read-policy" `
token_ttl="1h" `
token_max_ttl="4h"If you make any changes to the policy:
No need to re-create the AppRole––it already references ts-gw-read-policy.
It will automatically pick up the new paths on next token request.
Check PROD GW Service Read Policy and App Role:
vault policy listvault policy read ts-gw-prod-read-policyvault list auth/approle/rolevault read auth/approle/role/ts-gw-prod-app-roleData Service App Role Setup
ts-data-srvc
Local App Role Setup
Environment: local
Local DATA Service Read Policy:
Run Windows PowerShell as Administrator and run the following commands to create a policy that allows reading logs from the local data service:
Move away from C:\Windows\system32>
d:$env:VAULT_ADDR = "https://dev.vault.aspireclan.com"
$env:VAULT_TOKEN = "<vault token>"@"
path "tidyshelves/data/shared/grafana" {
capabilities = ["read"]
}
path "tidyshelves/metadata/shared/grafana" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/local/data/db-creds" {
capabilities = ["read"]
}
path "tidyshelves/metadata/local/data/db-creds" {
capabilities = ["read", "list"]
}
"@ | Out-File -FilePath "ts-data-local-read-policy.hcl" -Encoding asciivault policy write ts-data-local-read-policy ts-data-local-read-policy.hclLocal DATA Service App Role:
vault write auth/approle/role/ts-data-local-app-role `
token_policies="ts-data-local-read-policy" `
token_ttl="1h" `
token_max_ttl="4h"If you make any changes to the policy:
No need to re-create the AppRole––it already references ts-data-read-policy.
It will automatically pick up the new paths on next token request.
Check Local DATA Service Read Policy and App Role:
vault policy listvault policy read ts-log-local-read-policyvault list auth/approle/rolevault read auth/approle/role/ts-data-local-app-roleDev App Role Setup
Environment: dev
Dev DATA Service Read Policy:
Run Windows PowerShell as Administrator and run the following commands to create a policy that allows reading logs from the dev data service:
Move away from C:\Windows\system32>
d:$env:VAULT_ADDR = "https://dev.vault.aspireclan.com"
$env:VAULT_TOKEN = "<vault token>"@"
path "tidyshelves/data/shared/grafana" {
capabilities = ["read"]
}
path "tidyshelves/metadata/shared/grafana" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/dev/data/db-creds" {
capabilities = ["read"]
}
path "tidyshelves/metadata/dev/data/db-creds" {
capabilities = ["read", "list"]
}
"@ | Out-File -FilePath "ts-data-dev-read-policy.hcl" -Encoding asciivault policy write ts-data-dev-read-policy ts-data-dev-read-policy.hclDev DATA Service App Role:
vault write auth/approle/role/ts-data-dev-app-role `
token_policies="ts-data-dev-read-policy" `
token_ttl="1h" `
token_max_ttl="4h"If you make any changes to the policy:
No need to re-create the AppRole––it already references ts-data-read-policy.
It will automatically pick up the new paths on next token request.
Check Dev DATA Service Read Policy and App Role:
vault policy listvault policy read ts-data-dev-read-policyvault list auth/approle/rolevault read auth/approle/role/ts-data-dev-app-roleQA App Role Setup
Environment: qa
QA DATA Service Read Policy:
Run Windows PowerShell as Administrator and run the following commands to create a policy that allows reading logs from the qa data service:
Move away from C:\Windows\system32>
d:$env:VAULT_ADDR = "https://dev.vault.aspireclan.com"
$env:VAULT_TOKEN = "<vault token>"@"
path "tidyshelves/data/shared/grafana" {
capabilities = ["read"]
}
path "tidyshelves/metadata/shared/grafana" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/qa/data/db-creds" {
capabilities = ["read"]
}
path "tidyshelves/metadata/qa/data/db-creds" {
capabilities = ["read", "list"]
}
"@ | Out-File -FilePath "ts-data-qa-read-policy.hcl" -Encoding asciivault policy write ts-data-qa-read-policy ts-data-qa-read-policy.hclQA DATA Service App Role:
vault write auth/approle/role/ts-data-qa-app-role `
token_policies="ts-data-qa-read-policy" `
token_ttl="1h" `
token_max_ttl="4h"If you make any changes to the policy:
No need to re-create the AppRole––it already references ts-data-read-policy.
It will automatically pick up the new paths on next token request.
Check QA DATA Service Read Policy and App Role:
vault policy listvault policy read ts-data-qa-read-policyvault list auth/approle/rolevault read auth/approle/role/ts-data-qa-app-rolePROD App Role Setup
Environment: prod
PROD DATA Service Read Policy:
Run Windows PowerShell as Administrator and run the following commands to create a policy that allows reading logs from the prod data service:
Move away from C:\Windows\system32>
d:$env:VAULT_ADDR = "https://dev.vault.aspireclan.com"
$env:VAULT_TOKEN = "<vault token>"@"
path "tidyshelves/data/shared/grafana" {
capabilities = ["read"]
}
path "tidyshelves/metadata/shared/grafana" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/prod/data/db-creds" {
capabilities = ["read"]
}
path "tidyshelves/metadata/prod/data/db-creds" {
capabilities = ["read", "list"]
}
"@ | Out-File -FilePath "ts-data-prod-read-policy.hcl" -Encoding asciivault policy write ts-data-prod-read-policy ts-data-prod-read-policy.hclPROD DATA Service App Role:
vault write auth/approle/role/ts-data-prod-app-role `
token_policies="ts-data-prod-read-policy" `
token_ttl="1h" `
token_max_ttl="4h"If you make any changes to the policy:
No need to re-create the AppRole––it already references ts-data-read-policy.
It will automatically pick up the new paths on next token request.
Check PROD DATA Service Read Policy and App Role:
vault policy listvault policy read ts-data-prod-read-policyvault list auth/approle/rolevault read auth/approle/role/ts-data-prod-app-roleFile Service App Role Setup
ts-file-srvc
Local App Role Setup
Environment: local
Local FILE Service Read Policy:
Run Windows PowerShell as Administrator and run the following commands to create a policy that allows reading logs from the local file service:
Move away from C:\Windows\system32>
d:$env:VAULT_ADDR = "https://dev.vault.aspireclan.com"
$env:VAULT_TOKEN = "<vault token>"@"
path "tidyshelves/data/shared/grafana" {
capabilities = ["read"]
}
path "tidyshelves/metadata/shared/grafana" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/local/file/db-creds" {
capabilities = ["read"]
}
path "tidyshelves/metadata/local/file/db-creds" {
capabilities = ["read", "list"]
}
"@ | Out-File -FilePath "ts-file-local-read-policy.hcl" -Encoding asciivault policy write ts-file-local-read-policy ts-file-local-read-policy.hclLocal FILE Service App Role:
vault write auth/approle/role/ts-file-local-app-role `
token_policies="ts-file-local-read-policy" `
token_ttl="1h" `
token_max_ttl="4h"If you make any changes to the policy:
No need to re-create the AppRole––it already references ts-file-read-policy.
It will automatically pick up the new paths on next token request.
Check Local FILE Service Read Policy and App Role:
vault policy listvault policy read ts-file-local-read-policyvault list auth/approle/rolevault read auth/approle/role/ts-file-local-app-roleDev App Role Setup
Environment: dev
Dev FILE Service Read Policy:
Run Windows PowerShell as Administrator and run the following commands to create a policy that allows reading logs from the dev file service:
Move away from C:\Windows\system32>
d:$env:VAULT_ADDR = "https://dev.vault.aspireclan.com"
$env:VAULT_TOKEN = "<vault token>"@"
path "tidyshelves/data/shared/grafana" {
capabilities = ["read"]
}
path "tidyshelves/metadata/shared/grafana" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/dev/file/db-creds" {
capabilities = ["read"]
}
path "tidyshelves/metadata/dev/file/db-creds" {
capabilities = ["read", "list"]
}
"@ | Out-File -FilePath "ts-file-dev-read-policy.hcl" -Encoding asciivault policy write ts-file-dev-read-policy ts-file-dev-read-policy.hclDev FILE Service App Role:
vault write auth/approle/role/ts-file-dev-app-role `
token_policies="ts-file-dev-read-policy" `
token_ttl="1h" `
token_max_ttl="4h"If you make any changes to the policy:
No need to re-create the AppRole––it already references ts-file-read-policy.
It will automatically pick up the new paths on next token request.
Check Dev FILE Service Read Policy and App Role:
vault policy listvault policy read ts-file-dev-read-policyvault list auth/approle/rolevault read auth/approle/role/ts-file-dev-app-roleQA App Role Setup
Environment: qa
QA FILE Service Read Policy:
Run Windows PowerShell as Administrator and run the following commands to create a policy that allows reading logs from the qa file service:
Move away from C:\Windows\system32>
d:$env:VAULT_ADDR = "https://dev.vault.aspireclan.com"
$env:VAULT_TOKEN = "<vault token>"@"
path "tidyshelves/data/shared/grafana" {
capabilities = ["read"]
}
path "tidyshelves/metadata/shared/grafana" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/qa/file/db-creds" {
capabilities = ["read"]
}
path "tidyshelves/metadata/qa/file/db-creds" {
capabilities = ["read", "list"]
}
"@ | Out-File -FilePath "ts-file-qa-read-policy.hcl" -Encoding asciivault policy write ts-file-qa-read-policy ts-file-qa-read-policy.hclQA FILE Service App Role:
vault write auth/approle/role/ts-file-qa-app-role `
token_policies="ts-file-qa-read-policy" `
token_ttl="1h" `
token_max_ttl="4h"If you make any changes to the policy:
No need to re-create the AppRole––it already references ts-file-read-policy.
It will automatically pick up the new paths on next token request.
Check QA FILE Service Read Policy and App Role:
vault policy listvault policy read ts-file-qa-read-policyvault list auth/approle/rolevault read auth/approle/role/ts-file-qa-app-rolePROD App Role Setup
Environment: prod
PROD FILE Service Read Policy:
Run Windows PowerShell as Administrator and run the following commands to create a policy that allows reading logs from the prod file service:
Move away from C:\Windows\system32>
d:$env:VAULT_ADDR = "https://dev.vault.aspireclan.com"
$env:VAULT_TOKEN = "<vault token>"@"
path "tidyshelves/data/shared/grafana" {
capabilities = ["read"]
}
path "tidyshelves/metadata/shared/grafana" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/prod/file/db-creds" {
capabilities = ["read"]
}
path "tidyshelves/metadata/prod/file/db-creds" {
capabilities = ["read", "list"]
}
"@ | Out-File -FilePath "ts-file-prod-read-policy.hcl" -Encoding asciivault policy write ts-file-prod-read-policy ts-file-prod-read-policy.hclPROD FILE Service App Role:
vault write auth/approle/role/ts-file-prod-app-role `
token_policies="ts-file-prod-read-policy" `
token_ttl="1h" `
token_max_ttl="4h"If you make any changes to the policy:
No need to re-create the AppRole––it already references ts-file-read-policy.
It will automatically pick up the new paths on next token request.
Check PROD FILE Service Read Policy and App Role:
vault policy listvault policy read ts-file-prod-read-policyvault list auth/approle/rolevault read auth/approle/role/ts-file-prod-app-roleLog Service App Role Setup
ts-log-srvc
Local App Role Setup
Environment: local
Local Log Service Read Policy:
Run Windows PowerShell as Administrator and run the following commands to create a policy that allows reading logs from the local log service:
Move away from C:\Windows\system32>
d:$env:VAULT_ADDR = "https://dev.vault.aspireclan.com"
$env:VAULT_TOKEN = "<vault token>"@"
path "tidyshelves/data/shared/grafana" {
capabilities = ["read"]
}
path "tidyshelves/metadata/shared/grafana" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/shared/aws" {
capabilities = ["read"]
}
path "tidyshelves/metadata/shared/aws" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/local/shared/aws/user-pool" {
capabilities = ["read"]
}
path "tidyshelves/metadata/local/shared/aws/user-pool" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/local/log/db-creds" {
capabilities = ["read"]
}
path "tidyshelves/metadata/local/log/db-creds" {
capabilities = ["read", "list"]
}
"@ | Out-File -FilePath "ts-log-local-read-policy.hcl" -Encoding asciivault policy write ts-log-local-read-policy ts-log-local-read-policy.hclLocal Log Service App Role:
vault write auth/approle/role/ts-log-local-app-role `
token_policies="ts-log-local-read-policy" `
token_ttl="1h" `
token_max_ttl="4h"If you make any changes to the policy:
No need to re-create the AppRole––it already references ts-gw-read-policy.
It will automatically pick up the new paths on next token request.
Check Local Log Service Read Policy and App Role:
vault policy listvault policy read ts-log-local-read-policyvault list auth/approle/rolevault read auth/approle/role/ts-log-local-app-roleDev App Role Setup
Environment: dev
Dev Log Service Read Policy:
Run Windows PowerShell as Administrator and run the following commands to create a policy that allows reading logs from the dev log service:
Move away from C:\Windows\system32>
d:$env:VAULT_ADDR = "https://dev.vault.aspireclan.com"
$env:VAULT_TOKEN = "<vault token>"@"
path "tidyshelves/data/shared/grafana" {
capabilities = ["read"]
}
path "tidyshelves/metadata/shared/grafana" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/shared/aws" {
capabilities = ["read"]
}
path "tidyshelves/metadata/shared/aws" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/dev/shared/aws/user-pool" {
capabilities = ["read"]
}
path "tidyshelves/metadata/dev/shared/aws/user-pool" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/dev/log/db-creds" {
capabilities = ["read"]
}
path "tidyshelves/metadata/dev/log/db-creds" {
capabilities = ["read", "list"]
}
"@ | Out-File -FilePath "ts-log-dev-read-policy.hcl" -Encoding asciivault policy write ts-log-dev-read-policy ts-log-dev-read-policy.hclDev Log Service App Role:
vault write auth/approle/role/ts-log-dev-app-role `
token_policies="ts-log-dev-read-policy" `
token_ttl="1h" `
token_max_ttl="4h"If you make any changes to the policy:
No need to re-create the AppRole––it already references ts-gw-read-policy.
It will automatically pick up the new paths on next token request.
Check Dev Log Service Read Policy and App Role:
vault policy listvault policy read ts-log-dev-read-policyvault list auth/approle/rolevault read auth/approle/role/ts-log-dev-app-roleQA App Role Setup
Environment: qa
QA Log Service Read Policy:
Run Windows PowerShell as Administrator and run the following commands to create a policy that allows reading logs from the qa log service:
Move away from C:\Windows\system32>
d:$env:VAULT_ADDR = "https://dev.vault.aspireclan.com"
$env:VAULT_TOKEN = "<vault token>"@"
path "tidyshelves/data/shared/grafana" {
capabilities = ["read"]
}
path "tidyshelves/metadata/shared/grafana" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/qa/log/db-creds" {
capabilities = ["read"]
}
path "tidyshelves/metadata/qa/log/db-creds" {
capabilities = ["read", "list"]
}
"@ | Out-File -FilePath "ts-log-qa-read-policy.hcl" -Encoding asciivault policy write ts-log-qa-read-policy ts-log-qa-read-policy.hclQA Log Service App Role:
vault write auth/approle/role/ts-log-qa-app-role `
token_policies="ts-log-qa-read-policy" `
token_ttl="1h" `
token_max_ttl="4h"If you make any changes to the policy:
No need to re-create the AppRole––it already references ts-gw-read-policy.
It will automatically pick up the new paths on next token request.
Check QA Log Service Read Policy and App Role:
vault policy listvault policy read ts-log-qa-read-policyvault list auth/approle/rolevault read auth/approle/role/ts-log-qa-app-rolePROD App Role Setup
Environment: prod
PROD Log Service Read Policy:
Run Windows PowerShell as Administrator and run the following commands to create a policy that allows reading logs from the prod log service:
Move away from C:\Windows\system32>
d:$env:VAULT_ADDR = "https://dev.vault.aspireclan.com"
$env:VAULT_TOKEN = "<vault token>"@"
path "tidyshelves/data/shared/grafana" {
capabilities = ["read"]
}
path "tidyshelves/metadata/shared/grafana" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/prod/log/db-creds" {
capabilities = ["read"]
}
path "tidyshelves/metadata/prod/log/db-creds" {
capabilities = ["read", "list"]
}
"@ | Out-File -FilePath "ts-log-prod-read-policy.hcl" -Encoding asciivault policy write ts-log-prod-read-policy ts-log-prod-read-policy.hclPROD Log Service App Role:
vault write auth/approle/role/ts-log-prod-app-role `
token_policies="ts-log-prod-read-policy" `
token_ttl="1h" `
token_max_ttl="4h"If you make any changes to the policy:
No need to re-create the AppRole––it already references ts-gw-read-policy.
It will automatically pick up the new paths on next token request.
Check PROD Log Service Read Policy and App Role:
vault policy listvault policy read ts-log-prod-read-policyvault list auth/approle/rolevault read auth/approle/role/ts-log-prod-app-roleLog UI App Role Setup
ts-log-ui
Local App Role Setup
Environment: local
Local Log UI Read Policy:
Run Windows PowerShell as Administrator and run the following commands to create a policy that allows reading logs from the local log UI:
Move away from C:\Windows\system32>
d:$env:VAULT_ADDR = "https://dev.vault.aspireclan.com"
$env:VAULT_TOKEN = "<vault token>"@"
path "tidyshelves/data/shared/grafana" {
capabilities = ["read"]
}
path "tidyshelves/metadata/shared/grafana" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/shared/aws" {
capabilities = ["read"]
}
path "tidyshelves/metadata/shared/aws" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/local/log/db-creds" {
capabilities = ["read"]
}
path "tidyshelves/metadata/local/log/db-creds" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/local/log-ui/aws-cognito" {
capabilities = ["read"]
}
path "tidyshelves/metadata/local/log-ui/aws-cognito" {
capabilities = ["read", "list"]
}
"@ | Out-File -FilePath "ts-log-ui-local-read-policy.hcl" -Encoding asciivault policy write ts-log-ui-local-read-policy ts-log-ui-local-read-policy.hclLocal Log UI App Role:
vault write auth/approle/role/ts-log-ui-local-app-role `
token_policies="ts-log-ui-local-read-policy" `
token_ttl="1h" `
token_max_ttl="4h"If you make any changes to the policy:
No need to re-create the AppRole––it already references ts-gw-read-policy.
It will automatically pick up the new paths on next token request.
Check Local Log UI Read Policy and App Role:
vault policy listvault policy read ts-log-ui-local-read-policyvault list auth/approle/rolevault read auth/approle/role/ts-log-ui-local-app-roleDev App Role Setup
Environment: dev
Dev Log UI Read Policy:
Run Windows PowerShell as Administrator and run the following commands to create a policy that allows reading logs from the dev log UI:
Move away from C:\Windows\system32>
d:$env:VAULT_ADDR = "https://dev.vault.aspireclan.com"
$env:VAULT_TOKEN = "<vault token>"@"
path "tidyshelves/data/shared/grafana" {
capabilities = ["read"]
}
path "tidyshelves/metadata/shared/grafana" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/shared/aws" {
capabilities = ["read"]
}
path "tidyshelves/metadata/shared/aws" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/dev/log/db-creds" {
capabilities = ["read"]
}
path "tidyshelves/metadata/dev/log/db-creds" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/dev/log-ui/aws-cognito" {
capabilities = ["read"]
}
path "tidyshelves/metadata/dev/log-ui/aws-cognito" {
capabilities = ["read", "list"]
}
"@ | Out-File -FilePath "ts-log-ui-dev-read-policy.hcl" -Encoding asciivault policy write ts-log-ui-dev-read-policy ts-log-ui-dev-read-policy.hclDev Log UI App Role:
vault write auth/approle/role/ts-log-ui-dev-app-role `
token_policies="ts-log-ui-dev-read-policy" `
token_ttl="1h" `
token_max_ttl="4h"If you make any changes to the policy:
No need to re-create the AppRole––it already references ts-gw-read-policy.
It will automatically pick up the new paths on next token request.
Check Dev Log UI Read Policy and App Role:
vault policy listvault policy read ts-log-ui-dev-read-policyvault list auth/approle/rolevault read auth/approle/role/ts-log-ui-dev-app-roleQA App Role Setup
Environment: qa
QA Log UI Read Policy:
Run Windows PowerShell as Administrator and run the following commands to create a policy that allows reading logs from the qa log UI:
Move away from C:\Windows\system32>
d:$env:VAULT_ADDR = "https://dev.vault.aspireclan.com"
$env:VAULT_TOKEN = "<vault token>"@"
path "tidyshelves/data/shared/grafana" {
capabilities = ["read"]
}
path "tidyshelves/metadata/shared/grafana" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/qa/log-ui/db-creds" {
capabilities = ["read"]
}
path "tidyshelves/metadata/qa/log-ui/db-creds" {
capabilities = ["read", "list"]
}
"@ | Out-File -FilePath "ts-log-ui-qa-read-policy.hcl" -Encoding asciivault policy write ts-log-ui-qa-read-policy ts-log-ui-qa-read-policy.hclQA Log UI App Role:
vault write auth/approle/role/ts-log-ui-qa-app-role `
token_policies="ts-log-ui-qa-read-policy" `
token_ttl="1h" `
token_max_ttl="4h"If you make any changes to the policy:
No need to re-create the AppRole––it already references ts-gw-read-policy.
It will automatically pick up the new paths on next token request.
Check QA Log UI Read Policy and App Role:
vault policy listvault policy read ts-log-ui-qa-read-policyvault list auth/approle/rolevault read auth/approle/role/ts-log-ui-qa-app-rolePROD App Role Setup
Environment: prod
PROD Log UI Read Policy:
Run Windows PowerShell as Administrator and run the following commands to create a policy that allows reading logs from the prod log UI:
Move away from C:\Windows\system32>
d:$env:VAULT_ADDR = "https://dev.vault.aspireclan.com"
$env:VAULT_TOKEN = "<vault token>"@"
path "tidyshelves/data/shared/grafana" {
capabilities = ["read"]
}
path "tidyshelves/metadata/shared/grafana" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/shared/aws" {
capabilities = ["read"]
}
path "tidyshelves/metadata/shared/aws" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/prod/log-ui/db-creds" {
capabilities = ["read"]
}
path "tidyshelves/metadata/prod/log-ui/db-creds" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/prod/log-ui/aws-cognito" {
capabilities = ["read"]
}
path "tidyshelves/metadata/prod/log-ui/aws-cognito" {
capabilities = ["read", "list"]
}
"@ | Out-File -FilePath "ts-log-ui-prod-read-policy.hcl" -Encoding asciivault policy write ts-log-ui-prod-read-policy ts-log-ui-prod-read-policy.hclPROD Log UI App Role:
vault write auth/approle/role/ts-log-ui-prod-app-role `
token_policies="ts-log-ui-prod-read-policy" `
token_ttl="1h" `
token_max_ttl="4h"If you make any changes to the policy:
No need to re-create the AppRole––it already references ts-gw-read-policy.
It will automatically pick up the new paths on next token request.
Check PROD Log UI Read Policy and App Role:
vault policy listvault policy read ts-log-ui-prod-read-policyvault list auth/approle/rolevault read auth/approle/role/ts-log-ui-prod-app-roleLocation Service App Role Setup
ts-location-srvc
Local App Role Setup
Environment: local
Local Log Service Read Policy:
Run Windows PowerShell as Administrator and run the following commands to create a policy that allows reading logs from the local location service:
Move away from C:\Windows\system32>
d:$env:VAULT_ADDR = "https://dev.vault.aspireclan.com"
$env:VAULT_TOKEN = "<vault token>"@"
path "tidyshelves/data/shared/grafana" {
capabilities = ["read"]
}
path "tidyshelves/metadata/shared/grafana" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/local/location/google-places-api-new" {
capabilities = ["read"]
}
path "tidyshelves/metadata/local/location/google-places-api-new" {
capabilities = ["read", "list"]
}
"@ | Out-File -FilePath "ts-location-local-read-policy.hcl" -Encoding asciivault policy write ts-location-local-read-policy ts-location-local-read-policy.hclLocal Log Service App Role:
vault write auth/approle/role/ts-location-local-app-role `
token_policies="ts-location-local-read-policy" `
token_ttl="1h" `
token_max_ttl="4h"If you make any changes to the policy:
No need to re-create the AppRole––it already references ts-gw-read-policy.
It will automatically pick up the new paths on next token request.
Check Local Location Service Read Policy and App Role:
vault policy listvault policy read ts-location-local-read-policyvault list auth/approle/rolevault read auth/approle/role/ts-location-local-app-roleDev App Role Setup
Environment: dev
Dev Log Service Read Policy:
Run Windows PowerShell as Administrator and run the following commands to create a policy that allows reading logs from the dev location service:
Move away from C:\Windows\system32>
d:$env:VAULT_ADDR = "https://dev.vault.aspireclan.com"
$env:VAULT_TOKEN = "<vault token>"@"
path "tidyshelves/data/shared/grafana" {
capabilities = ["read"]
}
path "tidyshelves/metadata/shared/grafana" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/dev/location/google-places-api-new" {
capabilities = ["read"]
}
path "tidyshelves/metadata/dev/location/google-places-api-new" {
capabilities = ["read", "list"]
}
"@ | Out-File -FilePath "ts-location-dev-read-policy.hcl" -Encoding asciivault policy write ts-location-dev-read-policy ts-location-dev-read-policy.hclDev Log Service App Role:
vault write auth/approle/role/ts-location-dev-app-role `
token_policies="ts-location-dev-read-policy" `
token_ttl="1h" `
token_max_ttl="4h"If you make any changes to the policy:
No need to re-create the AppRole––it already references ts-gw-read-policy.
It will automatically pick up the new paths on next token request.
Check Dev Location Service Read Policy and App Role:
vault policy listvault policy read ts-location-dev-read-policyvault list auth/approle/rolevault read auth/approle/role/ts-location-dev-app-roleQA App Role Setup
Environment: qa
QA Log Service Read Policy:
Run Windows PowerShell as Administrator and run the following commands to create a policy that allows reading logs from the qa location service:
Move away from C:\Windows\system32>
d:$env:VAULT_ADDR = "https://dev.vault.aspireclan.com"
$env:VAULT_TOKEN = "<vault token>"@"
path "tidyshelves/data/shared/grafana" {
capabilities = ["read"]
}
path "tidyshelves/metadata/shared/grafana" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/qa/location/google-places-api-new" {
capabilities = ["read"]
}
path "tidyshelves/metadata/qa/location/google-places-api-new" {
capabilities = ["read", "list"]
}
"@ | Out-File -FilePath "ts-location-qa-read-policy.hcl" -Encoding asciivault policy write ts-location-qa-read-policy ts-location-qa-read-policy.hclQA Log Service App Role:
vault write auth/approle/role/ts-location-qa-app-role `
token_policies="ts-location-qa-read-policy" `
token_ttl="1h" `
token_max_ttl="4h"If you make any changes to the policy:
No need to re-create the AppRole––it already references ts-gw-read-policy.
It will automatically pick up the new paths on next token request.
Check QA Location Service Read Policy and App Role:
vault policy listvault policy read ts-location-qa-read-policyvault list auth/approle/rolevault read auth/approle/role/ts-location-qa-app-rolePROD App Role Setup
Environment: prod
PROD Log Service Read Policy:
Run Windows PowerShell as Administrator and run the following commands to create a policy that allows reading logs from the prod location service:
Move away from C:\Windows\system32>
d:$env:VAULT_ADDR = "https://dev.vault.aspireclan.com"
$env:VAULT_TOKEN = "<vault token>"@"
path "tidyshelves/data/shared/grafana" {
capabilities = ["read"]
}
path "tidyshelves/metadata/shared/grafana" {
capabilities = ["read", "list"]
}
path "tidyshelves/data/prod/location/google-places-api-new" {
capabilities = ["read"]
}
path "tidyshelves/metadata/prod/location/google-places-api-new" {
capabilities = ["read", "list"]
}
"@ | Out-File -FilePath "ts-location-prod-read-policy.hcl" -Encoding asciivault policy write ts-location-prod-read-policy ts-location-prod-read-policy.hclPROD Log Service App Role:
vault write auth/approle/role/ts-location-prod-app-role `
token_policies="ts-location-prod-read-policy" `
token_ttl="1h" `
token_max_ttl="4h"If you make any changes to the policy:
No need to re-create the AppRole––it already references ts-gw-read-policy.
It will automatically pick up the new paths on next token request.
Check PROD Location Service Read Policy and App Role:
vault policy listvault policy read ts-location-prod-read-policyvault list auth/approle/rolevault read auth/approle/role/ts-location-prod-app-role