Generate new tokens without needing the root token, approle help somewhat related

I"m in need of a bit of help. I"ve installed Vault to a VM and I have the unseal keys and root token. However, I need to be able to use the API to create new tokens but WITHOUT using the root token. Is there a way to generate a new token without ever having to use the root token.

I Know this is probably better as another question, but to use the API to create approles, assign policies to approles, etc. also requires a token.

SO my big question is how do I generate tokens without ever using the root token, and how do I generate tokens capable of creating approles, again without ever using the root token.

THanks in advance

You have to use the root token for initial configuration. Once that is done and you have other authentication methods enabled you would be able to revoke the root token.

If at a later date you needed to do more configuration you can create a new root token from the unseal/recovery keys.

THat’s where I"m a bit confused, it’s been a very long time since I"ve used Vault. I plan to enable the approle auth methods and probably kv2 as well. But I don’t want to revoke the root token, I just want to minimalize its usage. For instance, how can I create a token that can only be used to obtain the role-id and the secret-id. What about a different token used to create policies? And another token that can only be used to create tokens? This will all be done by the API. I just don’t know how to go about this. The tokens used to create/manage policies and the one to create new tokens both can’t expire or have limited usage.

THanks again for your help,


BTW, I do apologize for being effectively a noob.

You really should reconsider this. Having a root token floating around is very, very, very (did I mention very) bad practice.

If you feel you need a root-like token, make a policy like:

path "*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]

Then create tokens from that policy with TTLs and ability to revoke them.

You don’t need a root token to create more tokens, just a token with permissions to do what you need. Then the token it creates will be a child of it (usually).

THIs is actually coming to the part that I don’t understand. if my root token is revoked, which is fine for me to do if that’s what you think is best, how do I get a token to make API Calls, specifically with the approle auth. WELl, any call really. THey all require a token in the header, but where does this token come from, how does it get generated? THAt’s where I"m lost. The token create also requires a token to use, so again, where does that come from?

OH and assume no operator, after the initial config it has to be done only by way of API Calls.

You don’t need a token to be able to login using one of the auth methods (e.g. AppRole).

So you’d call the login API, get a token back and then use that for whatever is needed - you should choose a role that gives the minimal permissions needed for the application/usage you are wanting.

1 Like