Hello,
I think my question is relatively simple. I searched the google but I couldn’t find the right answer…
Let’s say I have a token. I can see (with its accessor) its validation time, etc:
vault token lookup -accessor zzzzzzzzzzzzzzzzzzzzzzzzz
Key Value
--- -----
accessor zzzzzzzzzzzzzzzzzzzzzzzzz
creation_time 1616588705
creation_ttl 768h
display_name token
entity_id n/a
expire_time 2021-04-25T14:25:05.900427128+02:00
explicit_max_ttl 0s
id n/a
issue_time 2021-03-24T13:25:05.900454868+01:00
meta <nil>
num_uses 0
orphan true
path auth/token/create
policies [default renew_token]
renewable true
ttl 741h29m57s
type service
As you can see, it looks completely fine: expiration date is in April (we have March now) and there is no information which would indicate any problem with the token. But when I want to use this token, I got “403 permission denied” each time I do something with it:
export TOKEN="xyz"
[root@test]:~# VAULT_TOKEN=$TOKEN vault read some/path/API
Error reading some/path/API: Error making API request.
URL: GET https://test:8200/v1/some/path/API
Code: 403. Errors:
* 1 error occurred:
* permission denied
It’s not the policy issue, because the token has a good, valid policy (works for some other token with the same policy).
My question is: when “vault token lookup -accessor” shows that everything is fine and in reality token doesn’t work - what could be the root cause and how to investigate such issue? How to check (some commands) what is the problem with token?