I am using Hashicorp Vault and noticed a behaviour with tokens that I cannot explain. After the first setup I receive a root token. With this I log in and create a new policy for additional tokens:
path "cubbyhole/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "kv/*" {
capabilities = ["read"]
}
I can now create a new token via the CLI:
$ vault token create -policy=my_policy
Key Value
--- -----
token hvs.CAESIDXlXz-Gd....FnZFVmMlM
token_accessor aiqjgtBPCA...Vd4sFX9Fpg
token_duration 768h
token_renewable true
token_policies ["default" "my_policy"]
identity_policies []
policies ["default" "my_policy"]
The problem, it seems that the root token and the new token live in completely different namespaces as they can't see each others keys. Meaning, even if I create a new secret key in cubbyhole
with the new token, root can't see it. Why is that? Thanks!
TLDR:
Secrets created with a token that has a different policy than root, are not visible with the root token. Isn't that the purpose of a root token, to see everything?