Token Role Inheriting Policies from different namespace

Hi there,
I’m running into behavior which I don’t understand.

In our admin namespace, I have a group with 3 policies attached.
In our admin/foo namespace I’ve created a tokenauth role named consul with one policy attached.

When I create a token for the consul role using the cli I get the 3 policies from the group in the admin namespace added as identity-policies.

vault token create -orphan -namespace=admin/foo -role consul -display-name consul-test

Key                  Value
---                  -----
identity_policies    ["admin-administrator" "all-identity-admin" "root-ca-administrator"]
policies             ["admin-administrator" "all-identity-admin" "default" "root-ca-administrator" "vault-managed-pki"]

My question is what is adding the identity policies? The role isn’t associated with an entity or an alias. I am a member of the group in question, so maybe the policies are being inherited from me. However, according to the docs:

The generated token will inherit all policies and permissions of the currently authenticated token unless you explicitly define a subset list policies to assign to the token.

Even when I pass in policies explicitly via -policy="my-policy" the identity policies are added. vault token create -orphan -namespace=admin/grapl -role consul -display-name consul-staging-test -policy=“vault-managed-pki”`

---                  -----
token_policies       ["default" "vault-managed-pki"]
identity_policies    ["admin-administrator" "all-identity-admin" "root-ca-administrator"]
policies             ["admin-administrator" "all-identity-admin" "default" "root-ca-administrator" "vault-managed-pki"]

I have to confess, I had to read the source code of Vault to figure out what was going on here…

First, though, a bit of background: in Vault, there are two entirely separate ways policies can be linked to tokens:

  1. Policy names embedded directly in the token

  2. Identity ID embedded in the token; policies looked up via the identity

The sentence you quote from the docs, is talking specifically about 1); whilst the extra policies you’re seeing in your example are from 2).

The actual issue here, is that apparently, the -orphan and -role options to vault token create are not compatible … it seems that when you are creating a token using a token role, whether it is orphan or not (which also controls whether the connection with the identity is inherited) comes from the value of the orphan flag configured in the role, and not the value passed in the token creation request.

IMO it’s a bug that the API doesn’t warn that it’s ignoring the parameter.

Thank you for the help. I’ve updated the code and confirmed that this works. I’ll see about putting up a PR to update the docs at the very least