Policies not applied to Token

Hi I am new to Vault, I am authenticating LDAP users into Vault and now I am trying to set some policies for those users.

The result of applying the policies is as following

Key Value


token xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
token_accessor xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
token_duration 768h
token_renewable true
token_policies [“amops” “default”]
identity_policies [“amops”]
policies [“amops” “default”]
token_meta_username jmalik

But when I check the token capabilities I get denied.
$ vault token capabilities cubbyhole
deny

My Policy is is as following

path “cubbyhole/*” {
capabilities = [“read”]
}

Your help in this regards will be highly appreciated thanks.

The reason you’re getting back deny is that the path you’re hitting is cubbyhole, but the path the policy specifies is cubbyhole/*. But there’s no real point in trying to access “cubbyhole” by itself, so I think the policy as written is fine, it’s the capabilities call that’s wrong-headed. You would need to run vault token capabilities cubbyhole/ to see the effect of the given policy.

The policy is unnecessary though, because everyone gets the default policy by default, which includes:

# Allow a token to manage its own cubbyhole
path "cubbyhole/*" {
    capabilities = ["create", "read", "update", "delete", "list"]
}

As far as I know the only reason you’d setup a cubbyhole policy is if you wanted to restrict access to it using the deny capability.