Permission denied error -- /auth/token/create API method, using root token

740 views
Skip to first unread message

Amy Brown

unread,
Apr 11, 2016, 11:18:51 AM4/11/16
to Vault
Good morning all,

I'm trying to create a token attached to a policy with the API. I'm using the root token in the API call.

I'm getting a permission denied error.

I just created the token for the named policy via the CLI and had no issues.

I'm using the dev server if that makes a difference. 

Here's my command syntax:

curl -H -"X-Vault-Token: rootToken" -H "Content-Type: application/json" -X POST -d '{"policies":"policyName"}' http://ip:port/v1/auth/token/create


David Adams

unread,
Apr 11, 2016, 11:47:19 AM4/11/16
to vault...@googlegroups.com
What version of Vault are you using?

With the exact syntax you posted, there's a stray hyphen in front of '"X-Vault-Token:' which will cause a problem, although I get "missing client token" rather than "permission denied". I only get "permission denied" when the root token I pass is actually not valid. But perhaps it was just a copy/paste error.

Anyway, with a valid root token on my dev instance, I get an error that "policies" needs to be an array. This command syntax worked for me:

    curl -H "X-Vault-Token: rootToken" -H "Content-Type: application/json" -X POST -d '{"policies":["policyname"]}' http://127.0.0.1:8200/v1/auth/token/create

-dave

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/a900425a-9ed9-424d-8a9e-6801d0817240%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Amy Brown

unread,
Apr 11, 2016, 2:04:45 PM4/11/16
to Vault
I hope this reply works... great UX, Google. :-(

I am running vault 0.5.2 on an ArchLinux (VirtualBox guest of Windows 7 host)..

Unfortunately that extra hyphen was a copy/paste error... wish it were that easy. 

I can get a system status with the API as root.

But even asking for the list of policies as root fails.

$ curl -H "X-Vault-Token: xxx" -X GET http://ip:port/v1/sys/policy
{"errors":["permission denied"]}

Amy Brown

unread,
Apr 11, 2016, 2:29:29 PM4/11/16
to Vault
This is all set.  Part of the problem is that I'd apparently copied the root token from the wrong place.

I would probably not have guessed that the policies parameter took an array, though. Thanks so much, Dave. 

On Monday, April 11, 2016 at 11:18:51 AM UTC-4, Amy Brown wrote:
Reply all
Reply to author
Forward
0 new messages