Auth/token/lookup-self does not work

Hi,

Am I going mad??

$ vault token create -ttl 15m -policy test
Key                  Value
---                  -----
token                s.YuMTkrFzVtr6A5by5jLwJIYS
token_accessor       SbTuBuAyeeUThADDfkxRqgSi
token_duration       15
token_renewable      true
token_policies       ["default" "test"]
identity_policies    []
policies             ["default" "test"]
$ vault token capabilities s.YuMTkrFzVtr6A5by5jLwJIYS auth/token/lookup-self
read
$ export VAULT_TOKEN=s.YuMTkrFzVtr6A5by5jLwJIYS
$ vault kv get auth/token/lookup-self
Error making API request.

URL: GET http://localhost:8200/v1/sys/internal/ui/mounts/auth/token/lookup-self
Code: 403. Errors:

* preflight capability check returned 403, please ensure client's policies grant access to path "auth/token/lookup-self/"

Thanks,

Ian

I think you want to use the command vault read auth/token/lookup-self instead.

1 Like

Ha, doh. Yep, that works.

But… it does beg the question why vault kv get auth/token/lookup-self works with a root token, but not a non-root one??

Thanks!

Ian

The default policy contains this as the allowed path:

path "auth/token/lookup-self" {
    capabilities = ["read"]
}

The permission denied message cites a different path (not sure why).

You could probably add the following to the default policy to get it to work for any token:

path "sys/internal/ui/mounts/auth/token/lookup-self" {
    capabilities = ["read"]
}

EDIT: Nope - that doesn’t work either. I’m also curious why that doesn’t work now.

“But… it does beg the question why vault kv get auth/token/lookup-self works with a root token, but not a non-root one??”

Can’t it be because the root token always everything? :sunglasses: