VAULT API for Token-create

[narayan gowraj]

I was wondering if I can make use of vault api to create a token. For example, I have been using this to create new secrets, 

curl \
    -H "X-Vault-Token:$VAULT_TOKEN" \
    http://127.0.0.1:8200/v1/secret/<secretname>

Do we have an api end-point to create tokens that I can distribute to my vault users.

[Francis Chuang]

You should be able to use the API here: https://www.vaultproject.io/docs/auth/token.html

So, to create a token, POST to /v1/auth/token/create

[narayan gowraj]

Thank you. 

[sumeet....@collectivehealth.com]

I want to create a token with a non-root token. According to docs, I can create orphan token using a non-root token. When I try, it gives me permission denied. Any idea?

Thanks

Sumeet

On Tuesday, May 24, 2016 at 11:20:32 PM UTC-7, Francis Chuang wrote:

[vishal nayak]

Hi Sumeet,

I suggest you create new posts, so it gets better attention.

Regarding your question, orphan tokens can be created by both root and non-root tokens.

The non-root token you are using to create another token (orphan or not), may not have permissions to create tokens altogether.

How does the policy of the token you are using looks like?

Regards,

Vishal

Read our founder's story.

This message may contain confidential, proprietary, or protected information.  If you are not the intended recipient, you may not review, copy, or distribute this message. If you received this message in error, please notify the sender by reply email and delete this message.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/162cab98-eea2-4916-bbc0-36394a41eff1%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

vn

[sumeet....@collectivehealth.com]

Thanks Vishal. The token has a read permission on a certain path, and I need to create another token with the same permissions. 

What permissions does a token need to create an orphan token? Is there a specific permission to create orphan-token?

Sumeet

[vishal nayak]

Hi Sumeet,

If a token has a read permission on a certain path, it can only do just that (and the things allowed by the 'default' policy, if that is attached as well).

A token with access on to a path cannot create another token with similar permissions on the same path, as it would defeat the purpose of token renewals and rotations.

If a token contains a policy with an "update" capability on "auth/token/create" path, that token can issue other tokens.

However, this is a security sensitive permission and should be carefully issued out.

Hope this helps!

Regards,

Vishal

Read our founder's story.

This message may contain confidential, proprietary, or protected information.  If you are not the intended recipient, you may not review, copy, or distribute this message. If you received this message in error, please notify the sender by reply email and delete this message.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/d0d3d28c-b528-4239-b4a0-a432cb41ad8a%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

vn

[sumeet....@collectivehealth.com]

Thanks Vishal. That helps a lot.

Sumeet

[vishal nayak]

Hi Sumeet,

Since your question was related specifically to orphan tokens, I would like to bring your attention onto one another thing.

For a non-root token to be able to issue other tokensm "update" capability on "auth/token/create" is required.

For a non-root token to be able to issue "orphan" tokens, ["update", "sudo"] capabilities on "auth/token/create" are required.

For a non-root token to be able to issue "orphan" tokens without "sudo" or "root" permissions, "update" capability on "auth/token/create-orphan" is required. This needs to be invoked directly from the API and CLI does not support this.
For more details, refer to the API section here: https://www.vaultproject.io/docs/auth/token.html

Hope this helps!

Regards,

Vishal

On Thu, Jul 7, 2016 at 1:47 PM, <sumeet....@collectivehealth.com> wrote:

Thanks Vishal. That helps a lot.

Sumeet

Read our founder's story.

This message may contain confidential, proprietary, or protected information.  If you are not the intended recipient, you may not review, copy, or distribute this message. If you received this message in error, please notify the sender by reply email and delete this message.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/fbf4c409-eb23-4850-8e7e-9ff39b841114%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

vn

[sumeet....@collectivehealth.com]

Hi Vishal, 

Thanks for the additional info. 

Sumeet

[Jeff Mitchell]

Hi Sumeet,

Also look at the Roles functionality within the token auth mount
(https://www.vaultproject.io/docs/auth/token.html). This is the
recommended way to grant access to create orphan tokens as it's much
more structured.

Best,
Jeff

> Read our founder's story.
>
> This message may contain confidential, proprietary, or protected
> information. If you are not the intended recipient, you may not review,
> copy, or distribute this message. If you received this message in error,
> please notify the sender by reply email and delete this message.
>
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/vault-tool/b94d9231-6ab3-45a7-a88d-b43f4ad0cd73%40googlegroups.com.

[sumeet....@collectivehealth.com]

Thanks guys. Appreciate quick responses and all the help. I am able to do what I wanted to. Will make sure to create another thread instead of posting in an existing thread in the future.

Regards

Sumeet