Linked Questions

Popular Questions

I am using Hashicorp Vault and noticed a behaviour with tokens that I cannot explain. After the first setup I receive a root token. With this I log in and create a new policy for additional tokens:

path "cubbyhole/*" {
    capabilities = ["create", "read", "update", "delete", "list"]

path "kv/*" {
  capabilities = ["read"]

I can now create a new token via the CLI:

$ vault token create -policy=my_policy                                                                      
Key                  Value
---                  -----
token                hvs.CAESIDXlXz-Gd....FnZFVmMlM
token_accessor       aiqjgtBPCA...Vd4sFX9Fpg
token_duration       768h
token_renewable      true
token_policies       ["default" "my_policy"]
identity_policies    []
policies             ["default" "my_policy"]

The problem, it seems that the root token and the new token live in completely different namespaces as they can't see each others keys. Meaning, even if I create a new secret key in cubbyhole with the new token, root can't see it. Why is that? Thanks!


Secrets created with a token that has a different policy than root, are not visible with the root token. Isn't that the purpose of a root token, to see everything?

Related Questions