How to verify what's wrong with my Vault token?


I think my question is relatively simple. I searched the google but I couldn’t find the right answer…

Let’s say I have a token. I can see (with its accessor) its validation time, etc:

vault token lookup -accessor zzzzzzzzzzzzzzzzzzzzzzzzz

Key                 Value
---                 -----
accessor            zzzzzzzzzzzzzzzzzzzzzzzzz
creation_time       1616588705
creation_ttl        768h
display_name        token
entity_id           n/a
expire_time         2021-04-25T14:25:05.900427128+02:00
explicit_max_ttl    0s
id                  n/a
issue_time          2021-03-24T13:25:05.900454868+01:00
meta                <nil>
num_uses            0
orphan              true
path                auth/token/create
policies            [default renew_token]
renewable           true
ttl                 741h29m57s
type                service

As you can see, it looks completely fine: expiration date is in April (we have March now) and there is no information which would indicate any problem with the token. But when I want to use this token, I got “403 permission denied” each time I do something with it:

export TOKEN="xyz"

[root@test]:~# VAULT_TOKEN=$TOKEN vault read some/path/API
Error reading some/path/API: Error making API request.

URL: GET https://test:8200/v1/some/path/API
Code: 403. Errors:

* 1 error occurred:
        * permission denied

It’s not the policy issue, because the token has a good, valid policy (works for some other token with the same policy).

My question is: when “vault token lookup -accessor” shows that everything is fine and in reality token doesn’t work - what could be the root cause and how to investigate such issue? How to check (some commands) what is the problem with token?