Vault approle auth 强制默认策略

Vault approle auth forces default policy

使用 Approle Auth 方法创建角色时,我会告诉 Vault 根据测试策略创建生成的令牌

vault write auth/approle/role/test \
bind_secret_id=true \
secret_id_num_uses=0 \
token_num_uses=100 \
token_ttl=10m \
token_max_ttl=10m \
policies=test

我得到了 roleid 和 secretid: 保险库读取 auth/approle/role/test/role-id 保险库写入-f auth/approle/role/test/secret-id 并用它来生成令牌:

vault write auth/approle/login \
role_id=a36f3615-9532-983a-991b-f5f4bff9723a \
secret_id=d74458b0-b076-12c6-fc5d-d5f92273ef9d

我得到一个生成的令牌,现在检查生成的令牌:

  vault token lookup ddfe8514-4a9a-c14b-9179-576db031a137                                                                
  Key                 Value
  ---                 -----
  accessor            b8aecbf5-e0d1-d016-1c02-3e1a1fd5098a
  creation_time       1532330714
  creation_ttl        600
  display_name        approle
  entity_id           bcd8a77a-85df-8224-e5ff-9390cae15e25
  expire_time         2018-07-23T09:35:14.579632638+02:00
  explicit_max_ttl    0
  id                  ddfe8514-4a9a-c14b-9179-576db031a137
  issue_time          2018-07-23T09:25:14.579632516+02:00
  meta                map[role_name:test]
  num_uses            100
  orphan              true
  path                auth/approle/login
  policies            [default test]
  renewable           true
  ttl                 580

就是这样!默认策略... Approle 没有关于如何跳过默认策略的文档。有人遇到同样的问题吗?

official documentation 中所述:

The default policy is a builtin Vault policy that cannot be removed. By default, it is attached to all tokens, but may be explicitly excluded at token creation time by supporting authentication methods.

编辑

根据 this post, it's not actually possible to remove the default policy from AppRole. As you said, this could be a feature to be requested 的未来版本。