I’m trying to create an orphan token from the vault cli. If I run
vault token create -orphan
I get an orphan as planned.
However, if I add a role
vault token create -orphan -role=my-role
the new token won’t be an orphan.
What is the correct way to create an orphan token with attached role from the CLI?
A token has policies. It usually gets those policies from roles in the auth backend but when you create a token from another, the original context (with the roles) is not available anymore.
Just specify the policies you want attached to your token:
vault token create -orphan -policy my-policy -ttl 30m
Setting the TTL is optional, but a good practice for orphan tokens. The policies must be a subset of the policies of the current token, unless the current token is root.
Thanks for the response, @ixe013. The reason I’m using a role is because it has CIDR restrictions. I have tried
vault token create -policy my-policy -token_bound_cidrs "192.168.1.0/24", but get the following error:
flag provided but not defined: -token_bound_cidrs.
Is there a way to add CIDR restrictions without using a role?
Indeed, CIDR are not a valid flag for token creation.
Maybe the CIDR restrictions are carried over the original token? Other than that, I don’t know.
When you create the token role, my-role, simply set the orphan key to true:
$ vault write auth/token/roles/my-role allowed_policies=my-policies orphan=true -token_bound_cidrs="<cidr 1>,<cidr 2>"
And then when you create the token, it will be an orphan:
$ vault token create -field=token -role=my-role
<token value>
$ vault token lookup <token value>
...
orphan true
...