I use OIDC for login and have assigned a policy to the users using it.
The policy should allow to create tokens of his own. Sadly I get all the time the error:
child policies must be subset of parent.
If the policy is not configred right (tested), I get an
Access denied why assume the policy itself is fine.
During investigation I figured out that it is maybe related to the resolution of the identity_policies and policies. For my supprise I was not able to figure our how the expected behavior should be like.
What I get (vault token lookup):
identity_policies ["my-policy"] policies ["default"]
What I think I should get
identity_policies ["my-policy"] policies ["default","my-policy"]
Any ideas why this happens? I am not sure if this is a bug or just a missconfiguration on my side.