Skip to content

Commit

Permalink
Clarify the distinction between token and identity policies.
Browse files Browse the repository at this point in the history
  • Loading branch information
ncabatoff committed Jan 10, 2022
1 parent 6c6c99e commit ff556b7
Showing 1 changed file with 10 additions and 2 deletions.
12 changes: 10 additions & 2 deletions website/content/docs/concepts/policies.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -717,14 +717,22 @@ authenticated user.

### Tokens

Tokens have two sets of policies: identity policies, which are computed
based on the entity and its groups, and token policies, which are either defined
based on the login method or, in the case of explicit token creates via the API,
are an input to the token creation. What follows concerns token policies
exclusively: a token's identity policies cannot be controlled except by modifying
the underlying entities, groups, and group memberships.

Tokens are associated with their policies at creation time. For example:

```shell-session
$ vault token create -policy=dev-readonly -policy=logs
```

Child tokens can be associated with a subset of a parent's policies. Root users
can assign any policies.
Normally the only policies that may be specified are those which are present
in the current token's (i.e. the new token's parent's) token policies.
However, root users can assign any policies.

There is no way to modify the policies associated with a token once the token
has been issued. The token must be revoked and a new one acquired to receive a
Expand Down

0 comments on commit ff556b7

Please sign in to comment.