Skip to content
Latchkey

vault token create: Issue Vault Tokens

vault token create issues a new token, scoped by policies, TTL, and optional use limits.

Sometimes a pipeline needs to mint a short-lived child token, for example to hand a narrow scope to a sub-step. token create is that tool, with knobs for TTL and one-shot use.

What it does

vault token create generates a token under the caller, attaching the requested policies and lifetime. By default the new token is a child of the caller and is revoked when the parent is; -orphan detaches it. -use-limit caps how many times it can be used.

Common usage

Terminal
vault token create -policy=ci -ttl=15m
# single-use token for one step
vault token create -policy=ci -use-limit=1 -ttl=5m -field=token
# orphan token that outlives its parent
vault token create -orphan -policy=ci -ttl=1h

Options

FlagWhat it does
-policy=<name>Attach a policy; repeat for several
-ttl=<dur>Initial lease TTL (e.g. 15m, 1h)
-use-limit=<n>Maximum number of uses before revocation
-orphanCreate a token with no parent
-period=<dur>Make a periodic (renewable, non-expiring) token
-field=tokenPrint only the token value

In CI

Prefer short -ttl and -use-limit=1 for tokens passed to a single step so an exposed value expires fast. Use -field=token to capture the value without parsing JSON. Avoid -orphan unless the token genuinely must survive the parent, since orphans are not cleaned up automatically.

Common errors in CI

"permission denied" means the caller lacks auth/token/create (the default policy does not grant arbitrary token creation). "cannot create periodic token: permission denied" needs sudo on the create path. Requesting a -ttl above the mount max silently caps it at the max rather than erroring.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →