Different behaviour creating a token through api and cli


I am learning hashicorp vault and realised the cli and api bejavious is different when creating tokens. For instance:

$ vault token create -policy=devops-ws/gitlab/tds/secret 
Key                  Value
---                  -----
token                s.tB1kPOEQ2NpeqYhQJSCuyCRv
token_accessor       1ISxMpxdU4NOiRFEv8rhnooZ
token_duration       768h
token_renewable      true
token_policies       ["default" "devops-ws/gitlab/tds/secret"]
identity_policies    []
policies             ["default" "devops-ws/gitlab/tds/secret"]
$ vault token lookup s.tB1kPOEQ2NpeqYhQJSCuyCRv
Key                 Value
---                 -----
accessor            1ISxMpxdU4NOiRFEv8rhnooZ
creation_time       1633716193
creation_ttl        768h
display_name        token
entity_id           n/a
expire_time         2021-11-09T18:03:13.137257188Z
explicit_max_ttl    0s
id                  s.tB1kPOEQ2NpeqYhQJSCuyCRv
issue_time          2021-10-08T18:03:13.137270207Z
meta                <nil>
num_uses            0
orphan              false
path                auth/token/create
policies            [default devops-ws/gitlab/tds/secret]
renewable           true
ttl                 767h59m45s
type                service

So I created a token and assigned it to the policy devops-ws/gitlab/tds/secret

Now I am going to attempt the same through api

$ cat create_token.json 
 "policies": ["devops-ws/gitlab/tds/secret"],
 "ttl": "1h",
 "renewable": true
$ curl --silent -X POST \
> -d create_token.json \
> $VAULT_ADDR/v1/auth/token/create \
> -H "X-Vault-Token: "$VAULT_ROOT_KEY
$ vault token lookup s.u0zfTQAbCVOOdzneuUuH7FLK
Key                 Value
---                 -----
accessor            NzdWSxLRuinBCWCUXTsaUF8u
creation_time       1633716240
creation_ttl        0s
display_name        token
entity_id           n/a
expire_time         <nil>
explicit_max_ttl    0s
id                  s.u0zfTQAbCVOOdzneuUuH7FLK
issue_time          2021-10-08T18:04:00.757031672Z
meta                <nil>
num_uses            0
orphan              false
path                auth/token/create
policies            [root]
renewable           false
ttl                 0s
type                service

In this case the API ignores the content of the payload.

What is the reason behind this behavior?

thank you

I believe the /create endpoint creates a token based on your current token, in this case root.
You probably want to use the /create-orphan endpoint to specify a policy that isn’t assigned to the token making the request.

You’re using the wrong curl option. That’s why your request response is only a request id and not a JSON of the return object. It’s telling you there is an error in your request.

-d xyx.json … is a raw json file (and invalid which will be ignored)
-d @xxx.json is a file name that the contents will be sent along with the request.

curl -X POST -H "X-Vault-Token: $(vault print token)" -d '{"policies": ["foo-policy"], "ttl":"1h0m0s","renewable":true}' https://vault:8200/v1/auth/token/create
":true}' https://vault.basement.lab:8200/v1/auth/token/create
      "Policy \"foo-policy\" does not exist"

$ VAULT_FORMAT=json vault token lookup s.CP9upWK18E7cx8sbGW6d6oTY | jq '(.data.policies[]),.data.ttl'

@jeffsanicola The original issue is a curl parameter, but just to address your answer.

/create-orphan endpoint is just a alias for /create with a json object with “no_parent”: true. You don’t need to switch end-points unless that’s the only option you’re setting.

I should mention that PLEASE stop using root tokens as your login/use token. You can get yourself into a lot of trouble, and cause security issues. Setup your policy and user and login to vault – in fact you should revoke the root token and generate a new one if you need one – which you shouldn’t.