Update an approle

Quick question: Can I add policies to an existing approle and will the existing role-ID/secret-ID pairs be able to issue tokens with that new policies?

I.e. I have created a “testrole” with

vault write auth/approle/role/testrole policies=pol1 secret_id_num_uses=0

I use that approle for a while and realize, I forgot a second policy “pol2” is needed.

Can I, after the fact, just do:

vault write auth/approle/role/testrole policies=pol2
# or
vault write auth/approle/role/testrole policies=pol1,pol2
# or
vault write auth/approle/role/testrole policies=[pol1,pol2]
# or
vault write auth/approle/role/testrole policies=pol1 policies=pol2

(I’m not even sure on the correct syntax here, please tell me which is correct.)
And then new tokens created with pre-existing role-ID + secret-ID pairs will be able to use pol2 as well?

Also what’s the difference between policies and token_policies in this output:

$ vault read auth/approle/role/testrole
Key                        Value
---                        -----
bind_secret_id             true
local_secret_ids           false
period                     8h
policies                   [pol1]
secret_id_bound_cidrs      <nil>
secret_id_num_uses         0
secret_id_ttl              0s
token_bound_cidrs          []
token_explicit_max_ttl     48h
token_max_ttl              24h
token_no_default_policy    false
token_num_uses             0
token_period               8h
token_policies             [pol1]
token_ttl                  8h
token_type                 default

^ this is the correct syntax.

token_policies are the policies attached to the token itself (typically via the role settings). There’s a field not displayed here as it’s not in use called identity_policies which would be policies applied from Identity Entities and Identity Groups. policies is the cumulative list of token_policies and identity_policies.


We should mention that modifying the policies of an auth method does not change any tokens already created via that auth method. However modifying an existing policy (add, change, deleting) actual policies in that one policy that the token is based off does have an impact on the capabilities of the token.

Thanks Aram, with approle that is fine, since I was talking about new tokens. Approle tokens are supposed to be short-lived, so a small transition period is okay for me. Just didn’t want to redeploy things with completely new role-id and secret-id just because I forgot a policiy.