Vault token create -policy=my-policy permission denied to policy

mrc.sofia90 · April 3, 2024, 2:52pm

I created the policy with the following command:

vault policy write my-policy -<<EOF
path “secret/data/myproj/*” {
capabilities = [“read”,“list”]
}
EOF

Result:

Success! Uploaded policy: my-policy

Then I did:

vault token create -policy=my-policy

Result:

Key Value
token hvs.CAESIAzkUstjxJI7oY_NVVywwIhWGbgmd8HljnPSeAbCpXVAGh4KHGh2cy41e
token_accessor YxDVCl612n9IjujX9Zp
token_duration 768h
token_renewable true
token_policies [“default” “my-policy”]
identity_policies
policies [“default” “my-policy”]

Subsequently, I logged in with the new token

vault login hvs.CAESIAzkUstjxJI7oY_NVVywwIhWGbgmd8HljnPSeAbCpXVAGh4KHGh2cy41e

Result:


`Success! You are now authenticated. The token information displayed below is already stored in the token helper. You do NOT need to run "vault login" again. Future Vault requests will automatically use this token.

Key Value
token hvs.CAESIAzkUstjxJI7oY_NVVywwIhWGbgmd8HljnPSeAbCpXVAGh4KHGh2cy41e 
token_accessor YxDVCl612n9IjujX9Zp token_duration 768h 
token_renewable true
token_policies ["default" "my-policy"] identity_policies [ ] 
policies ["default" "my-policy"]

But trying to read the policy with the following command:

vault policy read my-policy

I get:

 Error reading policy named my-policy: Error making API request.

URL: GET https://127.0.0.1:8200/v1/sys/policies/acl/my-policy Code: 403. Errors:

* 1 error occurred: * permission denied"

michaelkosir · April 3, 2024, 3:46pm

The policy on the token does not allow for reading the policy, only reading the secrets located at secret/data/myproj/*. You need to add an appropriate policy to allow the token read permissions.

To output the necessary policy needed, run:

$ vault policy read -output-policy my-policy

path "sys/policies/acl/my-policy" {
  capabilities = ["read"]
}

michaelkosir · April 3, 2024, 4:05pm

Technically there is an internal path that can pull the resulting token ACL, if the default policy is attached. But be careful as the format may change at any time.

This is the specific entry in the default policy. Use at your own risk!

# Allow a token to look up its resultant ACL from all policies. This is useful
# for UIs. It is an internal path because the format may change at any time
# based on how the internal ACL features and capabilities change.
path "sys/internal/ui/resultant-acl" {
  capabilities = ["read"]
}

$ vault read -format=json -field=data sys/internal/ui/resultant-acl

Topic		Replies	Views
Getting "permission denied" for operations using a token created based on role with "token_policies": ["default"] Vault vault	1	301	April 24, 2024
Getting permission denied when using a token generated in Hashicorp vault Vault	7	9684	March 21, 2022
Hashicorp Vault - Permission denied in API While Succcess In CLI Vault	1	600	September 16, 2022
Unable to "Read" although token seems to have the capability Vault	3	675	September 5, 2020
ACL Policy - permission denied Vault	3	1282	November 9, 2021

Vault token create -policy=my-policy permission denied to policy

Related topics