Token capabiliites for getting AppRole role-id and secret

Hi I’m new to Vault and have been playing with vault AppRole. When using API to get role-id and secret-id, it requires a token. My question is, what access must this token have and what’s a good practice for generating this token? Thanks a lot in advance.

See https://learn.hashicorp.com/tutorials/vault/approle#policy-requirements

In most case you will have and vault admin user do this.

Got it. I was assuming there’s a default policy for that but looks like I can create a custom policy to handle approle admin work. Thanks a lot!