In Jenkins build, an approle is used, with this ACL policy:
path "auth/token/create" {
capabilities = ["create", "update"]
}
path "auth/token/lookup-self" {
capabilities = ["read"]
}
path "auth/token/revoke-self" {
capabilities = ["update"]
}
path "sys/mounts" {
capabilities = ["list", "read"]
}
path "sys/mounts/*" {
capabilities = ["create", "read", "update", "list", "patch"]
}
path "sys/policies/acl" {
capabilities = ["list"]
}
path "sys/policies/acl/*" {
capabilities = ["update"]
}
path "*" {
capabilities = ["list", "read", "create"]
}
During build, the below policy is created for the project:
path "sys/mounts" {
capabilities = ["list"]
}
path "sys/mounts/*" {
capabilities = ["read", "list"]
}
path "projectname" {
capabilities = ["list"]
}
path "projectname/*" {
capabilities = ["read", "list"]
}
And I see these on Jenkins log:
vault token create -policy=projectname -format=json
Error creating token: Error making API request.
URL: POST ****/v1/auth/token/create
Code: 400. Errors:
* child policies must be subset of parent
It seems the parent policy has covered everything in the child token.
I have tried -no-default-policy and -orphan options but I have got the same error.
Thanks.