The token create
command creates a new token that can be used forauthentication. This token will be created as a child of the currentlyauthenticated token. The generated token will inherit all policies andpermissions of the currently authenticated token unless you explicitly define asubset list policies to assign to the token.
A ttl can also be associated with the token. If a ttl is not associated with thetoken, then it cannot be renewed. If a ttl is associated with the token, it willexpire after that amount of time unless it is renewed.
Metadata associated with the token (specified with -metadata
) is written tothe audit log when the token is used.
If a role is specified, the role may override parameters specified here.
Create a token attached to specific policies:
$ vault token create -policy=my-policy -policy=other-policyKey Value--- -----token 95eba8ed-f6fc-958a-f490-c7fd0eda5e9etoken_accessor 882d4a40-3796-d06e-c4f0-604e8503750btoken_duration 768htoken_renewable truetoken_policies [default my-policy other-policy]
Create a periodic token:
$ vault token create -period=30mKey Value--- -----token fdb90d58-af87-024f-fdcd-9f95039e353atoken_accessor 4cd9177c-034b-a004-c62d-54bc56c0e9bdtoken_duration 30mtoken_renewable truetoken_policies [my-policy]
Usage
The following flags are available in addition to the standard set offlags included on all commands.
Output options
-field
(string: "")
- Print only the field with the given name. Specifyingthis option will take precedence over other formatting directives. The resultwill not have a trailing newline making it ideal for piping to other processes.-format
(string: "table")
- Print the output in the given format. Validformats are "table", "json", or "yaml". This can also be specified via theVAULT_FORMAT
environment variable.
Command options
-display-name
(string: "")
- Name to associate with this token. This is anon-sensitive value that can be used to help identify created secrets (e.g.prefixes).-entity-alias
(string: "")
- Name of the entity alias to associate withduring token creation. Only works in combination with -role argument and usedentity alias must be listed in allowed_entity_aliases. If this has beenspecified, the entity will not be inherited from the parent.-explicit-max-ttl
(duration: "")
- Explicit maximum lifetime for thetoken. Unlike normal TTLs, the maximum TTL is a hard limit and cannot beexceeded. Uses duration format strings.-id
(string: "")
- Value for the token. By default, this is anauto-generated value. Specifying this value requires sudo permissions.-metadata
(k=v: "")
- Arbitrary key=value metadata to associate with thetoken. This metadata will show in the audit log when the token is used. Thiscan be specified multiple times to add multiple pieces of metadata.-no-default-policy
(bool: false)
- Detach the "default" policy from thepolicy set for this token.-orphan
(bool: false)
- Create the token with no parent. This prevents thetoken from being revoked when the token which created it expires. Setting thisvalue requires sudo permissions.-period
(duration: "")
- If specified, every renewal will use the givenperiod. Periodic tokens do not expire as long as they are actively beingrenewed (unless-explicit-max-ttl
is also provided). Setting this valuerequires sudo permissions. Uses duration format strings.-policy
(string: "")
- Name of a policy to associate with this token. Thiscan be specified multiple times to attach multiple policies.-renewable
(bool: true)
- Allow the token to be renewed up to it's maximumTTL.-role
(string: "")
- Name of the role to create the token against.Specifying -role may override other arguments. The locally authenticated Vaulttoken must have permission forauth/token/create/<role>
.-ttl
(duration: "")
- Initial TTL to associate with the token. Tokenrenewals may be able to extend beyond this value, depending on the configuredmaximumTTLs. Uses duration format strings.-type
(string: "service")
- The type of token to create. Can be "service" or "batch".-use-limit
(int: 0)
- Number of times this token can be used. After thelast use, the token is automatically revoked. By default, tokens can be usedan unlimited number of times until their expiration.-wrap-ttl
(duration: "")
- Wraps the response in a cubbyhole token with therequested TTL. The response is available via the "vault unwrap" command. The TTLis specified as a numeric string with suffix like "30s" or "5m". This can also bespecified via theVAULT_WRAP_TTL
environment variable.