I have a vault instance, I used the root token to create some policies and engines.
I also created a user / pass authentication so I don’t have to use the root token
vault write auth/userpass/users/operation \
password=xxx \
policies=provisioner,default
And I assigned the default policy and it is here with the idea that it could “provision”
My Provision policy:
# Manage auth methods broadly across Vault
path "auth/*" {
capabilities = [ "read", "list", "create" ]
}
# Create, update, and delete auth methods
path "sys/auth/*" {
capabilities = ["create", "update", "delete", "sudo"]
}
path "sys/policy/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# List existing policies
path "sys/policies/acl" {
capabilities = ["list"]
}
# Create and manage ACL policies via API & UI
path "sys/policies/acl/*" {
capabilities = [ "read", "list" ]
}
path "sys/renew/*" {
capabilities = ["update"]
}
path "auth/token/renew-self"{
capabilities = ["read", "update"]
}
# Allow renewal of token leases
path "auth/token/renew/*" {
capabilities = ["update"]
}
# List auth methods
path "sys/auth" {
capabilities = ["read"]
}
path "secret/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "myapp/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
But when I log in and try to create a token it tells me that I don’t have permissions and I don’t know which ones it needs.
vault login -address=https://vault-stage.xxxx.com -method=userpass username=operation password=‘xxxxx’
vault token create -policy=myapp -policy=default -type=service -address=https://vault-stage.xxxx.com
I receive that error
Error creating token: Error making API request.
URL: POST https://vault-stage.xxxx.com/v1/auth/token/create
Code: 403. Errors:
- 1 error occurred:
* permission denied
Have I left any permission in my policy?
Am I trying to create the token incorrectly?
Thank you very much