Quick question: Can I add policies to an existing approle and will the existing role-ID/secret-ID pairs be able to issue tokens with that new policies?
I use that approle for a while and realize, I forgot a second policy “pol2” is needed.
Can I, after the fact, just do:
vault write auth/approle/role/testrole policies=pol2
# or
vault write auth/approle/role/testrole policies=pol1,pol2
# or
vault write auth/approle/role/testrole policies=[pol1,pol2]
# or
vault write auth/approle/role/testrole policies=pol1 policies=pol2
(I’m not even sure on the correct syntax here, please tell me which is correct.)
And then new tokens created with pre-existing role-ID + secret-ID pairs will be able to use pol2 as well?
token_policies are the policies attached to the token itself (typically via the role settings). There’s a field not displayed here as it’s not in use called identity_policies which would be policies applied from Identity Entities and Identity Groups. policies is the cumulative list of token_policies and identity_policies.
We should mention that modifying the policies of an auth method does not change any tokens already created via that auth method. However modifying an existing policy (add, change, deleting) actual policies in that one policy that the token is based off does have an impact on the capabilities of the token.
Thanks Aram, with approle that is fine, since I was talking about new tokens. Approle tokens are supposed to be short-lived, so a small transition period is okay for me. Just didn’t want to redeploy things with completely new role-id and secret-id just because I forgot a policiy.