Why auth/approle/login policy?

erickellerek1 · August 22, 2019, 1:01pm

in all documentation we found around approle we found the following policy entry:

# Login with AppRole
path "auth/approle/login" {
  capabilities = [ "create", "read" ]
}

Could someone please shade some light what this policy does?
Because one can login without this policy…

ref: https://learn.hashicorp.com/vault/identity-access-management/iam-authentication

erickellerek1 · September 7, 2019, 7:36am

You’re totally right, the policy you’re mentioning isn’t necessary to authenticate to Vault using AppRole, more generally login operation is by definition an un-authenticated Vault operation, which in itself isn’t associated to a policy.

– Sebastien Braun