Difference between "token_policies" , "identity_policies" and "policies"

2,487 views
Skip to first unread message

Pratish Shrestha

unread,
Mar 21, 2019, 2:31:00 AM3/21/19
to Vault
Hi,
I am rather confused in these 3 policies ("token_policies", "identity_policies" and "policies").

Scenario:
- I have a user with these identity_policies

Screen Shot 2019-03-21 at 12.09.22 PM.png




- I want to create a token with only "vyaguta" policy attached to it.

- Command:
$ vault token create -policy=vyaguta

- Now, this token has these policies.
Screen Shot 2019-03-21 at 12.11.13 PM.png


Questions:
1. What is the different between  "token_policies", "identity_policies" and "policies"?
2. Even though I created a token with " -policy=vyaguta ", this token seems to have admin access as well. How do I create a token with only one policy attached to it?
3. By reading the docs, I found out that " orphan tokens " can be used for attaching one policy for the token. But what is the use of " vault token create -policy=vyaguta " then? Very confused here.

bganeshmail

unread,
Mar 21, 2019, 4:04:22 AM3/21/19
to vault...@googlegroups.com
Identity Polices are the one associated with specific identities and used with auth method.

Token Policies are the one associated with specific tokens and used with token auth method.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/910b6099-6636-4526-a5c1-b21756d6b3b2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Raju Dawadi

unread,
Mar 21, 2019, 4:37:13 AM3/21/19
to Vault
I would recommend to go through Vault Identity(https://www.katacoda.com/hashicorp/scenarios/vault-identity) scenario. Its good resource to get the concept of identity_policies which comes into action when you are using identity providers like, github, ldap. 

Second, vault token create -policy=vyaguta shouldn't give the admin access but only the specific policy attached unless your policy vyaguta grants so.

Pratish Shrestha

unread,
Mar 21, 2019, 5:15:10 AM3/21/19
to Vault
Yes, that was exactly my concern. 
vault token create -policy=vyaguta

This should only attach vyaguta policy, and it does in the "token_policies". But it still has "admin" policy attached to it in the "identity_policies" as shown below:Screen Shot 2019-03-21 at 12.11.13 PM.png This grants all the "admin" access to this newly created token as well.

mic...@hashicorp.com

unread,
Mar 21, 2019, 8:33:05 AM3/21/19
to Vault
Hi Pratish,

1. What is the different between  "token_policies", "identity_policies" and "policies"?

"token_policies" are policies which are directly associated with a token. If you create a token via "vault token create -policy=mypolicy" then "token_policies" should only include your "mypolicy" (except "default" policy which is a special policy). If you just leave out the "-policy" parameter, the created token will automatically inherit all policies from the current active user.
"identity_policies" are policies which are directly associated with the linked entity and entity groups. If you create a non-orphan token, this token will always automatically inherit the parents entity and entity groups and therefore all policies related to those.
"policies" is just a correlation of "token_policies" and "identity_policies". It shows you all available policies for this token.

2. Even though I created a token with " -policy=vyaguta ", this token seems to have admin access as well. How do I create a token with only one policy attached to it?

Since you created a non-orphan token, this token inherited all related policies from the linked entity. You need to create an orphan token to avoid that.  

3. By reading the docs, I found out that " orphan tokens " can be used for attaching one policy for the token. But what is the use of " vault token create -policy=vyaguta " then? Very confused here.

If you don't use the identity system at all and you create a token without explicitly specifying policies, the created token will inherit all policies from the current active user. The policy parameter is helpful to limit the inherited policies from the current active user.

Cheers,
Michel

Pratish Shrestha

unread,
Mar 21, 2019, 8:48:53 AM3/21/19
to Vault
Thanks for the reply Michel.

The policy parameter is helpful to limit the inherited policies from the current active user.
 
So setting -policy=mypolicy will only work to limit the inherited policies if I am not using an identity system (LDAP in my case)? 
And if so, I will always have to create an orphan token?
 

mic...@hashicorp.com

unread,
Mar 21, 2019, 9:52:10 AM3/21/19
to Vault
So setting -policy=mypolicy will only work to limit the inherited policies if I am not using an identity system (LDAP in my case)? 

The "-policy" command overwrites the inherited policies by the current user/token. It's not related to the identity system.
 
And if so, I will always have to create an orphan token?

Yes, if you want to avoid that policies are inherited by the identity system.
Reply all
Reply to author
Forward
0 new messages