I am trying to create a token using the following script
createAppToken() {
local client_token=$(jq -r '.auth.client_token' < '/vault/scripts/login-response.json')
local payload='{"policies":["read-only-policy"],"no_default_policy":"true","ttl":"10h","explicit_max_ttl":"10h","renewable":"true","no_parent":"true","role_name":"anarcy-role","meta":{"owner": "main"}}'
curl --request POST -H "X-Vault-Token: $client_token" --data "$payload" http://vault-server:8200/v1/auth/token/create > '/vault/scripts/token-response.json'
local token=$(jq -r '.auth.client_token' < '/vault/scripts/token-response.json')
echo $(curl --request POST -H "X-Vault-Token: $token" http://vault-server:8200/v1/auth/token/lookup-self) | jq .
}
the read-only-policy
policy with which this token is to be created is is based on the following policy.hcl file
path "kv-v2/wall-e/*" {
capabilities = ["create", "read", "list"]
}
the ‘client_token’ is obtained based on the following login request
curl --request POST --data ""{\"role_id\":\"$role_id\", \"secret_id\":\"$secret_id\"}"" http://vault-server:8200/v1/auth/approle/login
the role for the credentials is
local payload='{"token_policies": ["main-policy"], "token_type": "service", "token_ttl": "10h", "token_max_ttl": "10h"}'
curl --request POST --header "X-Vault-Token: $root_token" --data "$payload" http://vault-server:8200/v1/auth/approle/role/main-role
and the policy which this role is based is the following
path "cubbyhole/*" {
capabilities = ["create", "read", "update", "delete", "list", "patch"]
}
path "kv-v2/*" {
capabilities = ["create", "read", "update", "delete", "list", "patch"]
}
path "/sys/capabilities-self" {
capabilities = ["read", "list"]
}
path "/sys/capabilities/acl/*" {
capabilities = ["create", "read", "update", "delete", "list", "patch"]
}
path "/sys/health" {
capabilities = ["read"]
}
path "/sys/in-flight-req" {
capabilities = ["read"]
}
path "/sys/internal/specs/openapi" {
capabilities = ["read"]
}
path "/sys/internal/ui/namespaces" {
capabilities = ["read"]
}
path "/sys/ha-status" {
capabilities = ["read"]
}
path "/sys/leases" {
capabilities = ["read"]
}
path "/sys/metrics" {
capabilities = ["read"]
}
path "/sys/monitor" {
capabilities = ["read"]
}
path "/sys/namespaces" {
capabilities = ["create", "read", "update", "delete", "list", "patch"]
}
path "/sys/policies/acl/*" {
capabilities = ["create", "read", "update", "delete", "list", "patch"]
}
path "/sys/well-known" {
capabilities = ["create", "read", "update", "delete", "list", "patch"]
}
path "/auth/token/create" {
capabilities = ["create", "read", "update", "delete", "list", "patch"]
}
path "/auth/token/create-orphan" {
capabilities = ["create", "read", "update", "delete", "list", "patch"]
}
path "/auth/token/create/*" {
capabilities = ["create", "read", "update", "delete", "list", "patch"]
}
path "/auth/token/lookup" {
capabilities = ["create", "read", "update", "delete", "list", "patch"]
}
path "/auth/token/lookup-self" {
capabilities = ["create", "read", "update", "delete", "list", "patch"]
}
path "/auth/token/renew" {
capabilities = ["create", "read", "update", "delete", "list", "patch"]
}
path "/auth/token/renew-self" {
capabilities = ["create", "read", "update", "delete", "list", "patch"]
}
path "/auth/token/revoke" {
capabilities = ["create", "read", "update", "delete", "list", "patch"]
}
path "/auth/token/revoke-self" {
capabilities = ["create", "read", "update", "delete", "list", "patch"]
}
path "/auth/token/roles" {
capabilities = ["create", "read", "update", "delete", "list", "patch"]
}
path "/auth/token/roles/*" {
capabilities = ["create", "read", "update", "delete", "list", "patch"]
}
path "/auth/approle/role" {
capabilities = ["create", "read", "update", "delete", "list", "patch"]
}
Getthig this error
Error creating token: child policies must be subset of parent