When creating an oidc role in
vault cli, you can do the following:
vault write auth/oidc/role/default-role \
Success! Data written to: auth/oidc/role/default-role
However, in the corresponding terraform resource, there is no (plain)
policies attribute, just a
Why is that?
$ vault path-help auth/oidc/role/some-name-here
(DEPRECATED) Use "token_policies" instead. If this and "token_policies" are both specified, only "token_policies" will be used.
Comma-separated list of policies
policies is the deprecated old name, kept for compatibility.
token_policies is the new canonical name of the option.
In the extreme olden days of Vault (Vault 0.7 !), policies were always assigned to tokens.
Then the Identity system came along in 0.8 / 0.9, and it became desirable to clarify policies applied via tokens, and policies applied via the identity system. So many options got renamed to
token_policies. But the old naming is still supported, though deprecated, to prevent inconveniencing users with existing scripts.