Using "denied_parameters" on Vault Token auth method (API) to deny token for specific policy when capabilities contain sudo

ChristineOellig · January 6, 2025, 3:51pm

Hi Everyone!

Is it possible to give a policy-token sudo rights for creating new tokens and thereby denying a specific policy? Saying it can create a token for all existing policies expect a specific one called here admin_super?

We tried the following policy but unfortunately its not working…

path “auth/token/create” {
capabilities = [“create”, “update”, “delete”, “sudo”]
denied_parameters = {
“policies” = [“admin_super”]
}
}

when creating a token based on this policy, the token is still able to create an admin_super token via
$ vault token create -policy=admin_super -ttl=50h …

Thanks and all the best!

jeffsanicola · January 7, 2025, 1:46am

The *_parameters parameters only work against string values, they get ignored for lists, objects, maps, etc.

If you’re an enterprise customer, then Sentinel would be the way to go to achieve your goal.

ChristineOellig · January 7, 2025, 10:08am

Thanks for the feedback!!

Topic		Replies	Views
Admin policy with asterisk and deny to create token Vault	1	445	May 19, 2021
How to enforce the policy and role when creating tokens? Vault vault	5	451	August 15, 2022
Non root token that can create new tokens with newly created policy Vault	5	333	March 15, 2023
Restrict creating tokens to policies with a subset of privileges Vault vault	0	19	December 13, 2024
Vault token create -policy=my-policy permission denied to policy Vault vault	2	118	April 3, 2024

Using "denied_parameters" on Vault Token auth method (API) to deny token for specific policy when capabilities contain sudo

Related topics