Vault cli: how to create orphan token with role

I’m trying to create an orphan token from the vault cli. If I run
vault token create -orphan
I get an orphan as planned.

However, if I add a role
vault token create -orphan -role=my-role
the new token won’t be an orphan.

What is the correct way to create an orphan token with attached role from the CLI?

A token has policies. It usually gets those policies from roles in the auth backend but when you create a token from another, the original context (with the roles) is not available anymore.

Just specify the policies you want attached to your token:

vault token create -orphan -policy my-policy -ttl 30m

Setting the TTL is optional, but a good practice for orphan tokens. The policies must be a subset of the policies of the current token, unless the current token is root.

Thanks for the response, @ixe013. The reason I’m using a role is because it has CIDR restrictions. I have tried
vault token create -policy my-policy -token_bound_cidrs "", but get the following error:
flag provided but not defined: -token_bound_cidrs.

Is there a way to add CIDR restrictions without using a role?

Indeed, CIDR are not a valid flag for token creation.

Maybe the CIDR restrictions are carried over the original token? Other than that, I don’t know.

When you create the token role, my-role, simply set the orphan key to true:

$ vault write auth/token/roles/my-role allowed_policies=my-policies orphan=true -token_bound_cidrs="<cidr 1>,<cidr 2>"

And then when you create the token, it will be an orphan:

$ vault token create -field=token -role=my-role
<token value>
$ vault token lookup <token value>
orphan        true
1 Like