Granular token creation restriction in Vault


As I understand from the documentation and some testing, it’s possible to have three types of restrictions on token creation.

  1. User can create token using any policy (when the ‘auth/token/create’ path has ‘update’ and ‘sudo’ capabilities)
  2. User can create token using only a subset of the policies they have (when the ‘auth/token/create’ path has only the ‘update’ capability)
  3. User can’t create tokens (when the ‘auth/token/create’ doesn’t have either the ‘update’ and ‘sudo’ capabilities)

My question is: is it possible to have more granular control over which policies a user can assign to a token.
Example of what I want: Admin can create tokens with any policy except for one specific.

Hey! Yes it is. You can go ahead and create a token role with allowed and disallowed policies. From there on you can create a token from this role on.
This however does not restrict the user more from creating tokens with certain policies than you already can, but does give them more control without the need of sudo.

I hope this helps your use case!

Thanks Remco! I hadn’t noticed roles yet. They do seem to be in the right direction but I still feel that there’s a major drawback (for me).

It doesn’t seem that I can automatically have a specific role apply to the token assigned to a specific user when they authenticate using for example LDAP.

Am I missing something?