How to tell difference between parent and child policies?

(I am an end-user to Vault and did not create the policies)

Ive come across that error that seems trip up a lot of people using vault token create -policy=

  • child policies must be subset of parent

But one thing I have not found anywhere, including via vault policy list is how to determine if a policy is a child or a parent. Given an output of


I can issue a new token vault token create -policy=default and get back

token_policies       ["default"]
policies             ["default"]

Or do vault token create -policy=terraform and get back

token_policies       ["default" "terraform"]
policies             ["default" "terraform"]

(not sure why “default” gets tossed in there too? Maybe that’s what -no-default-policy is for.)

However, when I execute vault token create -policy=this-policy or vault token create -policy=that-policy, I receive that error.

Using vault policy list or vault policy read *token* does not distinguish between parent and child policies (at least that Ive been able to tell so far) – so why are only some of the policies accepted as parents, and the others as children. What/Where do I look for?


Try using vault token lookup. That should give you information about your current token including assigned policies.

1 Like

I think I understand now. By using vault token lookup I find out what policies have been applied to the token I have used to authenticate in with; so I am the parent.
Therefore, I cannot use vault token create with a policy that I am not associated with.
I was looking at policies the wrong way.

Yes, that is correct!