ACL policy for token creation

1,867 views

Skip to first unread message

György Demarcsek

unread,

Sep 4, 2015, 5:46:00 AM9/4/15

to Vault

Hi All,

I don't know it this is something I should never do, but is it possible to create a token that can only be used to create additional tokens without providing "root" policy to the first token? Somewhat similarly how Ticket Granting Tickets work in Kerberos.

Thanks.

Cheers,
Gyuri

Jeff Mitchell

unread,

Sep 4, 2015, 8:46:00 AM9/4/15

to vault...@googlegroups.com

You sure can!

Take a look at the API and information here: https://vaultproject.io/docs/auth/token.html

Non-root tokens cannot create orphan tokens, and cannot associate tokens with policies that are not a subset of their policies. To allow a token to create other tokens, associate it with a policy that has write permission to auth/token/create.

--Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/824d3bdc-a1d2-4f5c-8070-6962a3d4259f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all

Reply to author

Forward

0 new messages