From c30f1fc587029fed928e8195d9f61f26c84b0f3d Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Thu, 15 Jan 2026 03:46:58 -0300
Subject: [PATCH] vault: allow sso role to read portal admin secret

---
 services/vault/scripts/vault_k8s_auth_configure.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/services/vault/scripts/vault_k8s_auth_configure.sh b/services/vault/scripts/vault_k8s_auth_configure.sh
index d47ebb5..daf0214 100644
--- a/services/vault/scripts/vault_k8s_auth_configure.sh
+++ b/services/vault/scripts/vault_k8s_auth_configure.sh
@@ -154,7 +154,7 @@ write_policy_and_role "gitea" "gitea" "gitea-vault" \
 write_policy_and_role "vaultwarden" "vaultwarden" "vaultwarden-vault" \
   "vaultwarden/* shared/postmark-relay" ""
 write_policy_and_role "sso" "sso" "sso-vault,sso-vault-sync,mas-secrets-ensure" \
-  "sso/* shared/keycloak-admin shared/portal-e2e-client shared/postmark-relay harbor-pull/sso" ""
+  "sso/* portal/bstein-dev-home-keycloak-admin shared/keycloak-admin shared/portal-e2e-client shared/postmark-relay harbor-pull/sso" ""
 write_policy_and_role "mailu-mailserver" "mailu-mailserver" "mailu-vault-sync" \
   "mailu/* shared/postmark-relay harbor-pull/mailu-mailserver" ""
 write_policy_and_role "harbor" "harbor" "harbor-vault-sync" \