Hi all, as the title suggets I’m trying to get information about a token but seems that everything I’ve tried results in a permission denied response.
Following is what I did
payload='{"type":"approle"}'
echo $(curl --request POST -H "X-Vault-Token: $root_token" --data "$payload" http://vault-server:8200/v1/sys/auth/approle) | jq .
echo $(curl --request POST --header "X-Vault-Token: $root_token" --data "$fullAccessPolicyRequest" http://vault-server:8200/v1/sys/policy/fullAccess-policy) | jq .
this is the policy.hcl file
path "kv/*"{
capabilities = ["create", "read", "update", "patch", "delete", "list"]
}
path "kv-v2/*"{
capabilities = ["create", "read", "update", "patch", "delete", "list"]
}
created a role
payload='{"token_policies": ["fullAccess-policy", "default"], "token_type": "batch", "token_ttl": "5m", "token_max_ttl": "10m"}'
echo $(curl --request POST --header "X-Vault-Token: $root_token" --data "$payload" http://vault-server:8200/v1/auth/approle/role/anarchy-role) | jq .
getting the role-id and secret-id
login using the role-id and secret-id
payload="{\"role_id\":\"$role_id\",\"secret_id\":\"$secret_id\"}"
login_result=$(echo $(curl --request POST --data "$payload" http://vault-server:8200/v1/auth/approle/login))
trying too inspect the client_token
client_token=$(echo $login_result| jq -r '.auth.client_token')
echo $(curl --request POST -H "X-Vault-Token: $client_token" http://vault-server:8200/v1/auth/token/lookup-self) | jq .
results in
“1 error occurred:\n\t* permission denied\n\n”
I want to mention that this is the 1st time I’m using vault and maybe I am missing out some obvious aspects.
My setup is as following .
docker-compose
1 service running vault as server
1 service executes the scripts against the vault server container
Also I am wondering why when I look at the login_result I can see the policies
however when I login into the UI with the client_token, in the Access tab I cannot see any policies.