Quick question: Can I add policies to an existing approle and will the existing role-ID/secret-ID pairs be able to issue tokens with that new policies?
I.e. I have created a “testrole” with
vault write auth/approle/role/testrole policies=pol1 secret_id_num_uses=0
I use that approle for a while and realize, I forgot a second policy “pol2” is needed.
Can I, after the fact, just do:
vault write auth/approle/role/testrole policies=pol2
vault write auth/approle/role/testrole policies=pol1,pol2
vault write auth/approle/role/testrole policies=[pol1,pol2]
vault write auth/approle/role/testrole policies=pol1 policies=pol2
(I’m not even sure on the correct syntax here, please tell me which is correct.)
And then new tokens created with pre-existing role-ID + secret-ID pairs will be able to use pol2 as well?
Also what’s the difference between
token_policies in this output:
$ vault read auth/approle/role/testrole
^ this is the correct syntax.
token_policies are the policies attached to the token itself (typically via the role settings). There’s a field not displayed here as it’s not in use called
identity_policies which would be policies applied from Identity Entities and Identity Groups.
policies is the cumulative list of
We should mention that modifying the policies of an auth method does not change any tokens already created via that auth method. However modifying an existing policy (add, change, deleting) actual policies in that one policy that the token is based off does have an impact on the capabilities of the token.
Thanks Aram, with approle that is fine, since I was talking about new tokens. Approle tokens are supposed to be short-lived, so a small transition period is okay for me. Just didn’t want to redeploy things with completely new role-id and secret-id just because I forgot a policiy.