Admin policy with asterisk and deny to create token

evsasha · May 19, 2021, 11:16am

Hello. i have admin policy like this:

path "*" {
        capabilities = ["list","read","create","update","delete","sudo"]
}

Root token revoked.
Default policy not modificated.

I login and try to create token

vault login <token>

Key                    Value
---                    -----
token                  <token>
token_accessor         <token_accessor>
token_duration         11h59m50s
token_renewable        true
token_policies         ["admin" " "default"]
identity_policies      []
policies               ["admin" " "default"]
token_meta_username    user

First scenario:

vault token create -orphan=true -policy=admin -no-default-policy

Error creating token: Error making API request.

URL: POST https://vault.example.com/v1/auth/token/create
Code: 400. Errors:

* root or sudo privileges required to create orphan token

Second scenario:

vault token create -orphan=true -policy=test-certificate
Error creating token: Error making API request.

URL: POST https://vault.example.com/v1/auth/token/create
Code: 400. Errors:

* child policies must be subset of parent

Why it’s happening? In my admin policy (with asterics) i have all permission.

If I explicit add this path in admin policy all wiil work correct.

path "auth/token/create" {
        capabilities = ["create","sudo"]
}

mikegreen · May 19, 2021, 3:21pm

What is the output of:
$ vault token capabilities auth/token/create

Ie:
create, delete, list, read, sudo, update

Topic		Replies	Views
Vault admin policy Vault	3	3239	May 21, 2022
Non root token that can create new tokens with newly created policy Vault	5	319	March 15, 2023
Toen Creation Default Vault	1	316	December 1, 2020
Policy for Admin token Vault vault	0	179	October 13, 2023
Vault token create -policy=my-policy permission denied to policy Vault vault	2	110	April 3, 2024

Admin policy with asterisk and deny to create token

Related topics