Getting "permission denied" for operations using a token created based on role with "token_policies": ["default"]

Hi all, as the title suggets I’m trying to get information about a token but seems that everything I’ve tried results in a permission denied response.

Following is what I did

echo $(curl --request POST -H "X-Vault-Token: $root_token" --data "$payload" http://vault-server:8200/v1/sys/auth/approle) | jq .

echo $(curl --request POST --header "X-Vault-Token: $root_token" --data "$fullAccessPolicyRequest" http://vault-server:8200/v1/sys/policy/fullAccess-policy) | jq .

this is the policy.hcl file

path "kv/*"{
  capabilities = ["create", "read", "update", "patch", "delete", "list"]

path "kv-v2/*"{
  capabilities = ["create", "read", "update", "patch", "delete", "list"]

created a role

payload='{"token_policies": ["fullAccess-policy", "default"], "token_type": "batch", "token_ttl": "5m", "token_max_ttl": "10m"}'

echo $(curl --request POST --header "X-Vault-Token: $root_token" --data "$payload" http://vault-server:8200/v1/auth/approle/role/anarchy-role) | jq .

getting the role-id and secret-id

login using the role-id and secret-id

login_result=$(echo $(curl --request POST --data "$payload" http://vault-server:8200/v1/auth/approle/login))

trying too inspect the client_token

client_token=$(echo $login_result| jq -r '.auth.client_token')
echo $(curl --request POST -H "X-Vault-Token: $client_token"  http://vault-server:8200/v1/auth/token/lookup-self) | jq .

results in

“1 error occurred:\n\t* permission denied\n\n”

I want to mention that this is the 1st time I’m using vault and maybe I am missing out some obvious aspects.

My setup is as following .

1 service running vault as server
1 service executes the scripts against the vault server container

Also I am wondering why when I look at the login_result I can see the policies

however when I login into the UI with the client_token, in the Access tab I cannot see any policies.

Perhaps because it’s a batch token and no information are write on the disk. Try a service token