Error creating token: child policies must be subset of parent

maxf · May 26, 2021, 11:22am

I’m trying to create a new token with a specific policy assigned to it.

vault token lookup shows these policies for my current token (actual names have been changed):

identity_policies    [foo bar foobar]
policies             [default]

I want to create a new token with the foobar policy only. I’m running this command:

vault token create -policy=foobar

This command fails with this error:

Error creating token: Error making API request.

URL: POST https://vault:8200/v1/auth/token/create
Code: 400. Errors:

* child policies must be subset of parent

Why is this happening? My current token has the policy I’m trying to assign to the new token. Isn’t this what “subset of parent” means?

Many thanks,
Max

jeffsanicola · May 26, 2021, 12:13pm

I just did some testing and it looks like the policies that you can delegate must be assigned to the token itself and not inherited through an identity policy. However, if you don’t specify any policies then the child token inherits all of the identity policies.

The actual behavior seems counterintuitive to me and may warrant submitting an issue in GitHub. I would expect that you should be able to assign a policy your token inherits through an identity policy to a child token.

maxf · May 26, 2021, 4:25pm

Thanks for your explanation. This does seem counterintuitive to me too; I will follow your advice and open an issue on github.

Topic		Replies	Views
Create token issues (child policies must be subset of parent) Vault	3	4623	September 13, 2022
Child policies must be subset of parent Vault	0	822	August 25, 2020
How to tell difference between parent and child policies? Vault	3	793	March 24, 2022
Non root token that can create new tokens with newly created policy Vault	5	319	March 15, 2023
Token policies and identity policies Vault	2	1044	December 3, 2020

Error creating token: child policies must be subset of parent

Related topics