vault (hashicorp) add new policy to existing users/tokens

Question

I created a user with a policy:

$ vault token create -renewable -policy=admin_policy    Key                  Value
---                  -----
token                s.kG0Kdb8d2DSOUHv3AMzw5tdO
token_accessor       Do57Fg9DpiMv1j6t3oysZoz9
token_duration       900h
token_renewable      true
token_policies       ["admin_policy" "default"]
identity_policies    []
policies             ["admin_policy" "default"]

And now I want to add policy to the token. How should I do it?

Or I created user:

vault write auth/userpass/users/test3 password=test -policy=admin_policy
Success! Data written to: auth/userpass/users/test3

And now I want add a policy to the user:

vault write auth/userpass/users/test3 password=test -policy=admin_policy -policy=crm_sales_policy
Success! Data written to: auth/userpass/users/test3

But nothing has changed.

Answer 1

At first I was also confusing about how to update policies on user, but I found the document has been updated, the API is /auth/userpass/users/:username/policies, so you can update the policies like this:

vault write auth/userpass/users/bob123/policies policies="foo,bar"

official reference

Answer 2

You can't add policy to an existing token.

So you would have to create a new token with said policy(or policies).

Generally it's better if your upstream auth source(say LDAP, etc) would handle assigning policies to users, but you are welcome to do it at the vault level too.

Also note, tokens are tied to their parent, so they expire when their parent token expires, unless you add -orphan

Tokens generally should not have a very long life. Vault's claim to fame here is that secrets and tokens should be short-lived, so that if they do leak, the harm is minimal.