Policy to create tokens

Dear hashicorp community,

I am trying to move away from using root tokens and trying to create a token with permissions to create other tokens, secrets, policies, roles under the /devops-ws/ path.

My problem is in creating tokens.

for instance:

This is the policy for an administrator devops-ws path. I want to use this policy to create a token which could create new tokens, manage secrets, create policies and create roles under /devops-ws/*

tee policy_devops_admin.json <<"EOF"
  "policy": "path \"/sys/mounts/devops-ws/*\" { capabilities = [\"read\", \"list\", \"create\", \"update\", \"delete\"] }",
  "policy": "path \"/sys/auth/devops-ws/*\" { capabilities = [\"read\", \"list\", \"create\", \"update\", \"delete\"] }",
  "policy": "path \"/sys/auth/token/*\" { capabilities = [\"read\", \"list\", \"create\", \"update\", \"delete\"] }",
  "policy": "path \"/sys/policy/devops-ws/*\" { capabilities = [\"read\", \"list\", \"create\", \"update\", \"delete\"] }",
  "policy": "path \"/sys/policies/acl/devops-ws/*\" { capabilities = [\"read\", \"list\", \"create\", \"update\", \"delete\"] }"

curl $VAULT_ADDR/v1/sys/policies/acl/devops-ws/admin \
-X PUT \
-H "X-Vault-Token: $VAULT_ROOT_KEY" \
-d @policy_devops_admin.json

Now I create my token:

tee create_devops_admin_token.json <<EOF
 "policies": ["devops-ws/admin"]

-d @create_devops_admin_token.json \
$VAULT_ADDR/v1/auth/token/create \
-H "X-Vault-Token: "$VAULT_ROOT_KEY | jq -r '.auth.client_token')

vault token lookup $VAULT_DEVOPS_ADMIN_TOKEN                                                                                
Key                 Value
---                 -----
accessor            Wnggx08bIe1P9rcatnIlxlIo
creation_time       1633967049
creation_ttl        768h
display_name        token
entity_id           n/a
expire_time         2021-11-12T15:44:09.800960097Z
explicit_max_ttl    0s
id                  s.QfDzm4KRvECuZuf46ufIjlMn
issue_time          2021-10-11T15:44:09.800971488Z
meta                <nil>
num_uses            0
orphan              false
path                auth/token/create
policies            [default devops-ws/admin]
renewable           true
ttl                 767h59m48s
type                service

This VAULT_DEVOPS_ADMIN_TOKEN has the problem that I cannot create tokens with it.

For instance, I want to create a new token to generate secret-ids. I start with the policy:

tee policy_secret_devops_gitlab_admin.json <<EOF
  "policy": "path \"auth/devops-ws/gitlab/tds/role/cicd/secret-id\" {  capabilities = [ \"update\" ] }"

curl $VAULT_ADDR/v1/sys/policies/acl/devops-ws/gitlab/tds/create-secret-id \
-X PUT \
-d @policy_secret_devops_gitlab_admin.json

Then I create the token:

tee create_gitlab_tds_secretid_token.json <<EOF
 "policies": ["devops-ws/gitlab/tds/create-secret-id"],
 "ttl": "1h",
 "renewable": true

curl --silent -X POST \
-d @create_gitlab_tds_secretid_token.json \
$VAULT_ADDR/v1/auth/token/create-orphan \

{"errors":["1 error occurred:\n\t* permission denied\n\n"]}

I assume the problem is the policy in policy_devops_admin.json.
Any advice on how to create a token which can create other tokens?

thank you

I think you might be missing a policy entry like "policy": "path \"/auth/token/*\" { capabilities = [\"read\", \"list\", \"create\", \"update\", \"delete\"] }"

The path /sys/auth/token is for managing the settings on the auth method itself, not individual roles/tokens. For the latter you’ll need to specify the path auth/token/* and grant permissions to that.

Review the API documentation to better understand the paths you’ll need to provision access to. And of course, always keep least privilege in mind when granting permissions, if it’s not needed don’t grant it.

Look into using Token Roles.