Vault has confusingly too many APIs for renewing tokens.
The CLI command vault token renew (no parameters) calls the API path auth/token/renew-self, which is allowed by default.
However the CLI command vault token renew SOME_TOKEN_HERE calls the API path auth/token/renew, which is not allowed unless you’ve written custom policy to allow it.
This distinction is weird, since if you possess the token, you could just send it to the auth/token/renew-self endpoint anyway, so the tighter restrictions on auth/token/renew are a pitfall for new users, without any reason I can see.
Anyway, short version, set the VAULT_TOKEN environment variable and do NOT pass the token value on the command line.
4 - Define the variable with the root token to grant access to create new tokens:
export VAULT_TOKEN=root_token
5 - I created the new token in the policy that I had created previously, but a token without max_ttl so that it can be renewed indefinitely:
vault token create -policy=“policy” -period=30m
After these steps, I managed to create new tokens on my VAULT server and also managed to renew them, remembering that I can only renew them before they have expired.