Create token issues (child policies must be subset of parent)


I use OIDC for login and have assigned a policy to the users using it.
The policy should allow to create tokens of his own. Sadly I get all the time the error: child policies must be subset of parent.
If the policy is not configred right (tested), I get an Access denied why assume the policy itself is fine.

During investigation I figured out that it is maybe related to the resolution of the identity_policies and policies. For my supprise I was not able to figure our how the expected behavior should be like.

What I get (vault token lookup):

identity_policies      ["my-policy"]
policies               ["default"]

What I think I should get

identity_policies      ["my-policy"]
policies               ["default","my-policy"]

Any ideas why this happens? I am not sure if this is a bug or just a missconfiguration on my side.

Many thank! :slight_smile:

This is in fact on purpose!

When you create a token and put a policy on the token it is bound to that token for the token’s full lifetime. Identity policies are bound to your identity and can come or go at any time relative to the token’s lifetime. As a result, allowing binding of non-token policies to a child token could result in a privilege escalation, where even if the policy is removed from the identity, it would still be bound to the token. So it’s not allowed.

Thank you for your answer. I think I (mostly) got it. :sweat_smile:

Maybe a little more background for the case:
We have some users with a diffrent identity permissions, these uses should be able to delegate a subset of their permissions for a short time/one time usage so a service. The idea here was to create a sub token based on their indity policies which obviously does will.

Is there any way to create a less privileged token based on identity policies?