As I understand from the documentation and some testing, it’s possible to have three types of restrictions on token creation.
- User can create token using any policy (when the ‘auth/token/create’ path has ‘update’ and ‘sudo’ capabilities)
- User can create token using only a subset of the policies they have (when the ‘auth/token/create’ path has only the ‘update’ capability)
- User can’t create tokens (when the ‘auth/token/create’ doesn’t have either the ‘update’ and ‘sudo’ capabilities)
My question is: is it possible to have more granular control over which policies a user can assign to a token.
Example of what I want: Admin can create tokens with any policy except for one specific.