"child policies must be subset of parent" when creating a new token

y2kbug February 2, 2025, 5:14am 2

It seems I have solved the issue.

Referring to this post:

I have added sudo to the parent policy:

path "auth/token/create" {
  capabilities = ["sudo","create", "update"]
}

And using -no-default-policy -orphan in token create:

vault token create -no-default-policy -orphan -policy=${REPO_NAME} -format=json

Topic		Replies	Views
Error creating token: child policies must be subset of parent Vault	2	1930	May 26, 2021
Restrict creating tokens to policies with a subset of privileges Vault vault	0	32	December 13, 2024
Create token issues (child policies must be subset of parent) Vault	3	4771	September 13, 2022
Non root token that can create new tokens with newly created policy Vault	5	354	March 15, 2023
Token capabilities either wrongly calculated from policy or docs are wrong Vault vault , policy-as-code	0	25	July 17, 2024