Error creating token: child policies must be subset of parent

I’m trying to create a new token with a specific policy assigned to it.

vault token lookup shows these policies for my current token (actual names have been changed):

identity_policies    [foo bar foobar]
policies             [default]

I want to create a new token with the foobar policy only. I’m running this command:

vault token create -policy=foobar

This command fails with this error:

Error creating token: Error making API request.

URL: POST https://vault:8200/v1/auth/token/create
Code: 400. Errors:

* child policies must be subset of parent

Why is this happening? My current token has the policy I’m trying to assign to the new token. Isn’t this what “subset of parent” means?

Many thanks,

I just did some testing and it looks like the policies that you can delegate must be assigned to the token itself and not inherited through an identity policy. However, if you don’t specify any policies then the child token inherits all of the identity policies.

The actual behavior seems counterintuitive to me and may warrant submitting an issue in GitHub. I would expect that you should be able to assign a policy your token inherits through an identity policy to a child token.

Thanks for your explanation. This does seem counterintuitive to me too; I will follow your advice and open an issue on github.