Policies when creating vault roles via cli vs terraform

When creating an oidc role in vault cli, you can do the following:

vault write auth/oidc/role/default-role \
    user_claim="sub" \
    bound_audiences=$CLIENT_ID \
    allowed_redirect_uris="https://my-vault-url/ui/vault/auth/oidc/oidc/callback" \
    allowed_redirect_uris="http://localhost:8250/oidc/callback" \
    policies=policy-deny \
Success! Data written to: auth/oidc/role/default-role

However, in the corresponding terraform resource, there is no (plain) policies attribute, just a token_policies

Why is that?

$ vault path-help auth/oidc/role/some-name-here
    policies (slice)

        (DEPRECATED) Use "token_policies" instead. If this and "token_policies" are both specified, only "token_policies" will be used.
    token_policies (slice)

        Comma-separated list of policies

policies is the deprecated old name, kept for compatibility. token_policies is the new canonical name of the option.

In the extreme olden days of Vault (Vault 0.7 !), policies were always assigned to tokens.

Then the Identity system came along in 0.8 / 0.9, and it became desirable to clarify policies applied via tokens, and policies applied via the identity system. So many options got renamed to token_policies. But the old naming is still supported, though deprecated, to prevent inconveniencing users with existing scripts.

1 Like