Different behaviour creating a token through api and cli

Masber · October 8, 2021, 6:09pm

hi,

I am learning hashicorp vault and realised the cli and api bejavious is different when creating tokens. For instance:

$ vault token create -policy=devops-ws/gitlab/tds/secret 
Key                  Value
---                  -----
token                s.tB1kPOEQ2NpeqYhQJSCuyCRv
token_accessor       1ISxMpxdU4NOiRFEv8rhnooZ
token_duration       768h
token_renewable      true
token_policies       ["default" "devops-ws/gitlab/tds/secret"]
identity_policies    []
policies             ["default" "devops-ws/gitlab/tds/secret"]
$ vault token lookup s.tB1kPOEQ2NpeqYhQJSCuyCRv
Key                 Value
---                 -----
accessor            1ISxMpxdU4NOiRFEv8rhnooZ
creation_time       1633716193
creation_ttl        768h
display_name        token
entity_id           n/a
expire_time         2021-11-09T18:03:13.137257188Z
explicit_max_ttl    0s
id                  s.tB1kPOEQ2NpeqYhQJSCuyCRv
issue_time          2021-10-08T18:03:13.137270207Z
meta                <nil>
num_uses            0
orphan              false
path                auth/token/create
policies            [default devops-ws/gitlab/tds/secret]
renewable           true
ttl                 767h59m45s
type                service

So I created a token and assigned it to the policy devops-ws/gitlab/tds/secret

Now I am going to attempt the same through api

$ cat create_token.json 
{
 "policies": ["devops-ws/gitlab/tds/secret"],
 "ttl": "1h",
 "renewable": true
}
$ curl --silent -X POST \
> -d create_token.json \
> $VAULT_ADDR/v1/auth/token/create \
> -H "X-Vault-Token: "$VAULT_ROOT_KEY
{"request_id":"d4905243-517c-16ae-fca0-ee847f054cc3","lease_id":"","renewable":false,"lease_duration":0,"data":null,"wrap_info":null,"warnings":null,"auth":{"client_token":"s.u0zfTQAbCVOOdzneuUuH7FLK","accessor":"NzdWSxLRuinBCWCUXTsaUF8u","policies":["root"],"token_policies":["root"],"metadata":null,"lease_duration":0,"renewable":false,"entity_id":"","token_type":"service","orphan":false}}
$ vault token lookup s.u0zfTQAbCVOOdzneuUuH7FLK
Key                 Value
---                 -----
accessor            NzdWSxLRuinBCWCUXTsaUF8u
creation_time       1633716240
creation_ttl        0s
display_name        token
entity_id           n/a
expire_time         <nil>
explicit_max_ttl    0s
id                  s.u0zfTQAbCVOOdzneuUuH7FLK
issue_time          2021-10-08T18:04:00.757031672Z
meta                <nil>
num_uses            0
orphan              false
path                auth/token/create
policies            [root]
renewable           false
ttl                 0s
type                service

In this case the API ignores the content of the payload.

What is the reason behind this behavior?

thank you

jeffsanicola · October 8, 2021, 9:19pm

I believe the /create endpoint creates a token based on your current token, in this case root.
You probably want to use the /create-orphan endpoint to specify a policy that isn’t assigned to the token making the request.

aram · October 9, 2021, 3:16pm

You’re using the wrong curl option. That’s why your request response is only a request id and not a JSON of the return object. It’s telling you there is an error in your request.

-d xyx.json … is a raw json file (and invalid which will be ignored)
-d @xxx.json is a file name that the contents will be sent along with the request.

curl -X POST -H "X-Vault-Token: $(vault print token)" -d '{"policies": ["foo-policy"], "ttl":"1h0m0s","renewable":true}' https://vault:8200/v1/auth/token/create
":true}' https://vault.basement.lab:8200/v1/auth/token/create
{
   "request_id":"e5eff66a-f5c9-7037-adef-11be2ab375c7",
   "lease_id":"",
   "renewable":false,
   "lease_duration":0,
   "data":null,
   "wrap_info":null,
   "warnings":[
      "Policy \"foo-policy\" does not exist"
   ],
   "auth":{
      "client_token":"s.CP9upWK18E7cx8sbGW6d6oTY",
      "accessor":"vk9saJNxIIjmwWAyLcIoD5Ux",
      "policies":[
         "default",
         "foo-policy"
      ],
      "token_policies":[
         "default",
         "foo-policy"
      ],
      "metadata":null,
      "lease_duration":3600,
      "renewable":true,
      "entity_id":"",
      "token_type":"service",
      "orphan":false
   }
}

$ VAULT_FORMAT=json vault token lookup s.CP9upWK18E7cx8sbGW6d6oTY | jq '(.data.policies[]),.data.ttl'
"default"
"foo-policy"
3453

aram · October 9, 2021, 3:20pm

@jeffsanicola The original issue is a curl parameter, but just to address your answer.

/create-orphan endpoint is just a alias for /create with a json object with “no_parent”: true. You don’t need to switch end-points unless that’s the only option you’re setting.

I should mention that PLEASE stop using root tokens as your login/use token. You can get yourself into a lot of trouble, and cause security issues. Setup your policy and user and login to vault – in fact you should revoke the root token and generate a new one if you need one – which you shouldn’t.