I think my question is relatively simple. I searched the google but I couldn’t find the right answer…
Let’s say I have a token. I can see (with its accessor) its validation time, etc:
vault token lookup -accessor zzzzzzzzzzzzzzzzzzzzzzzzz Key Value --- ----- accessor zzzzzzzzzzzzzzzzzzzzzzzzz creation_time 1616588705 creation_ttl 768h display_name token entity_id n/a expire_time 2021-04-25T14:25:05.900427128+02:00 explicit_max_ttl 0s id n/a issue_time 2021-03-24T13:25:05.900454868+01:00 meta <nil> num_uses 0 orphan true path auth/token/create policies [default renew_token] renewable true ttl 741h29m57s type service
As you can see, it looks completely fine: expiration date is in April (we have March now) and there is no information which would indicate any problem with the token. But when I want to use this token, I got “403 permission denied” each time I do something with it:
export TOKEN="xyz" [root@test]:~# VAULT_TOKEN=$TOKEN vault read some/path/API Error reading some/path/API: Error making API request. URL: GET https://test:8200/v1/some/path/API Code: 403. Errors: * 1 error occurred: * permission denied
It’s not the policy issue, because the token has a good, valid policy (works for some other token with the same policy).
My question is: when “vault token lookup -accessor” shows that everything is fine and in reality token doesn’t work - what could be the root cause and how to investigate such issue? How to check (some commands) what is the problem with token?