Deploy `Vault` policies.

cookbooks/vault/files/etc/vault.d/policies/consul-auto-config.hcl

@@ -0,0 +1,7 @@
+{
+  "path": {
+    "identity/oidc/token/oidc-role": {
+      "policy": "read"
+    }
+  }
+}

cookbooks/vault/files/etc/vault.d/policies/consul-connect-vault.hcl

@@ -0,0 +1,20 @@
+# Consul Managed PKI Mounts
+path "/sys/mounts" {
+  capabilities = [ "read" ]
+}
+
+path "/sys/mounts/connect_root" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+path "/sys/mounts/connect_inter" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+path "/connect_root/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+path "/connect_inter/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}

cookbooks/vault/setup.rb

@@ -12,3 +12,11 @@ directory '/etc/vault.d/policies' do
   group 'vault'
   mode '755'
 end
+
+%w( consul-auto-config consul-connect-vault ).each do |conf|
+  remote_file "/etc/vault.d/policies/#{conf}.hcl" do
+    owner 'vault'
+    group 'vault'
+    mode '644'
+  end
+end