ctctl/vault/policies/ct-server.hcl

# Create Vault token with the nomad-server role
path "auth/token/create/nomad-server" {
  capabilities = ["update"]
}

# Create Vault token with the consul-server role
path "auth/token/create/consul-server" {
  capabilities = ["update"]
}

# Create Consul token with the nomad-server role
path "consul/creds/nomad-server" {
  capabilities = ["read"]
}

# Create consul tokens, for backups
path "consul/creds/backup" {
  capabilities = ["read"]
}

# Obtain a cert for Consul agent
path "pki/consul/issue/consul-server" {
  capabilities = [ "update" ]
}

# Obtain a cert for Nomad agent
path "pki/nomad/issue/nomad-server" {
  capabilities = [ "update" ]
}

# Create Nomad token, for backups
path "nomad/creds/backup" {
  capabilities = [ "read" ]
}

# Backup vault itself
path "sys/storage/raft/snapshot" {
  capabilities = ["read"]
}