Avoid using root token to create approle secret

Dear Hashicorp community,

Based on this example, does the “trusted entity” need to use the root token to generate the secretID? if not, how could I generate a token that can only generate secretsID for a specific policy?

thank you

You can use any token you want/can to setup your environment and authentication. The only thing you shouldn’t do is create other tokens without realizing and restricting what those tokens are capable of.

Best practice says, init, setup, and revoke the root token.