Token create terraform capability

Since terraform requires /auth/token/create with “update” capabilities to create a token (short ttl) to apply the terraform configuration to vault, doesn’t this mean that they can also create new token using any of the policies (except for root) once they login to the vault?

I have vault deployed in Kubernetes and my current setup is that user retrieves a vault token using OIDC/okta and then that token is used to create new policies, and configure kubernetes auth method and render secrets for the k8s deployment.

Any idea on how I can create a flow where the user who is authenticated can create policies, secrets, and configure kubernetes auth for for k8s deployment, but not be able to create tokens other than for terraform to do its initial token creation?

If anyone can help me guide in the right direction, it’d be much appreciated, thank you!

Link to vault requiring to create its own short ttl child token for related tasks.

I had a similar concern when I first started using Vault and Terraform but discovered that child tokens may only have a subset of the policies applied to the token creating to child token per Token - Auth Methods - HTTP API | Vault by HashiCorp

Please note that there is an open issue as it pertains to assigning specific policies inherited through Identity Entities/Groups: Error creating child token with policy assigned to parent as identity policy · Issue #11707 · hashicorp/vault · GitHub
If you’re not using Identity Entities/Groups for policy assignment then this would not apply to your use case.


Thank you @jeffsanicola for the helpful information.