vault policies - can't create child token

Donislav Belev

unread,

Aug 16, 2018, 11:07:58 AM8/16/18

to Vault

Hello

I have configured 2 policies - one is intergations and the other one is called child-token.

vault policy read child-token
path "auth/token/create/" {
capabilities = ["create", "read", "update", "delete", "list"]
}

I have issued a token like this:

vault token create -policy integrations -policy child-token

vault token lookup 12ec6146-e3f1-bac1-050e-1edbab819f24
Key                 Value
---                 -----
accessor            9f866dcb-2688-bddc-164f-6daf91469845
creation_time       1534425677
creation_ttl        8760h
display_name        token
entity_id           n/a
expire_time         2019-08-16T13:21:17.847761006Z
explicit_max_ttl    0s
id                  12ec6146-e3f1-bac1-050e-1edbab819f24
issue_time          2018-08-16T13:21:17.847752724Z
meta                <nil>
num_uses            0
orphan              false
path                auth/token/create
policies            [child-token default integrations]
renewable           true
ttl                 8758h30m48s

The token I am creatting however is not capable of creating child tolkens:

Error creating token: Error making API request.

URL: POST http://127.0.0.1:8200/v1/auth/token/create
Code: 403. Errors:

* permission denied

Any idea why I my token has no permission for creating child tokens although it has attached policy child-token with permisions on auth/token/create ?

Regard

Donislav

Deric

unread,

Aug 17, 2018, 9:48:18 AM8/17/18

to Vault

I think there a two issues going on here.

1. The permission denied looks like its coming from the trailing slash in your policy path

2. The path capabilities should include 'sudo'

Error creating token: Error making API request.


URL: POST http://127.0.0.1:8200/v1/auth/token/create

Code: 400. Errors:


* root or sudo privileges required to create periodic token

Hope that helps :)

Donislav Belev

unread,

Aug 17, 2018, 10:20:33 AM8/17/18

to Vault

Hello

Thank you for the reply Derec

I think I've solved the issue by changing the path to:

auth/token/*

A bit weird for me but it works now.

Jeff Mitchell

unread,

Aug 17, 2018, 3:05:44 PM8/17/18

to Vault

Hi there,

As Deric said, the problem is that your path was 'auth/token/create/' instead of 'auth/token/create'. The trailing slash matters.

However, do *not* simply give sudo permissions to that path unless required. It enables some things that are relatively dangerous.

Best,

Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/7bc6fc0f-01a4-4a8a-84f5-3e13640b15bd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Donislav Belev

unread,

Aug 17, 2018, 3:12:24 PM8/17/18

to vault...@googlegroups.com

Got it. Thank you very much!

You received this message because you are subscribed to a topic in the Google Groups "Vault" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vault-tool/t80SwVGO0AU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GHjDCtX3NN3t1ZLJWYVddwri8ir316Kq_nnKiAT_%3DHrCQ%40mail.gmail.com.

Reply all

Reply to author

Forward