Skip to content
Latchkey

vault token lookup: Inspect Token Details

vault token lookup shows a token policies, remaining TTL, accessor, and metadata.

When a CI step gets a 403, the fastest diagnosis is to look up the current token and confirm which policies it actually has. lookup is also how you read the remaining TTL before deciding to renew.

What it does

vault token lookup returns details about a token: its policies, creation and TTL, number of uses left, entity, and accessor. With no argument it looks up the calling token (self). -accessor looks up by accessor without exposing the token value.

Common usage

Terminal
vault token lookup
# check just the policies and ttl as JSON
vault token lookup -format=json | jq '.data.policies, .data.ttl'
# look up another token by its accessor
vault token lookup -accessor hmac-... 

Options

FlagWhat it does
(no arg)Look up the calling token (self)
-accessorLook up by accessor instead of token value
-format=jsonOutput as JSON for scripting

In CI

Run vault token lookup -format=json | jq .data.policies early in a job to assert the login produced the expected policies before later steps fail with 403. Looking up by -accessor lets a monitoring step inspect tokens without ever handling the secret token value.

Common errors in CI

"permission denied" on a self-lookup is unusual because default grants auth/token/lookup-self; if it fails the token may be expired or revoked. "bad token" means VAULT_TOKEN is empty or malformed, typically a login step that did not export the token. Looking up another token (not self) needs the auth/token/lookup capability.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →