vault token create: Issue Vault Tokens
vault token create issues a new token, scoped by policies, TTL, and optional use limits.
Sometimes a pipeline needs to mint a short-lived child token, for example to hand a narrow scope to a sub-step. token create is that tool, with knobs for TTL and one-shot use.
What it does
vault token create generates a token under the caller, attaching the requested policies and lifetime. By default the new token is a child of the caller and is revoked when the parent is; -orphan detaches it. -use-limit caps how many times it can be used.
Common usage
vault token create -policy=ci -ttl=15m
# single-use token for one step
vault token create -policy=ci -use-limit=1 -ttl=5m -field=token
# orphan token that outlives its parent
vault token create -orphan -policy=ci -ttl=1hOptions
| Flag | What it does |
|---|---|
| -policy=<name> | Attach a policy; repeat for several |
| -ttl=<dur> | Initial lease TTL (e.g. 15m, 1h) |
| -use-limit=<n> | Maximum number of uses before revocation |
| -orphan | Create a token with no parent |
| -period=<dur> | Make a periodic (renewable, non-expiring) token |
| -field=token | Print only the token value |
In CI
Prefer short -ttl and -use-limit=1 for tokens passed to a single step so an exposed value expires fast. Use -field=token to capture the value without parsing JSON. Avoid -orphan unless the token genuinely must survive the parent, since orphans are not cleaned up automatically.
Common errors in CI
"permission denied" means the caller lacks auth/token/create (the default policy does not grant arbitrary token creation). "cannot create periodic token: permission denied" needs sudo on the create path. Requesting a -ttl above the mount max silently caps it at the max rather than erroring.