vault token lookup: Inspect Token Details
vault token lookup shows a token policies, remaining TTL, accessor, and metadata.
When a CI step gets a 403, the fastest diagnosis is to look up the current token and confirm which policies it actually has. lookup is also how you read the remaining TTL before deciding to renew.
What it does
vault token lookup returns details about a token: its policies, creation and TTL, number of uses left, entity, and accessor. With no argument it looks up the calling token (self). -accessor looks up by accessor without exposing the token value.
Common usage
vault token lookup
# check just the policies and ttl as JSON
vault token lookup -format=json | jq '.data.policies, .data.ttl'
# look up another token by its accessor
vault token lookup -accessor hmac-... Options
| Flag | What it does |
|---|---|
| (no arg) | Look up the calling token (self) |
| -accessor | Look up by accessor instead of token value |
| -format=json | Output as JSON for scripting |
In CI
Run vault token lookup -format=json | jq .data.policies early in a job to assert the login produced the expected policies before later steps fail with 403. Looking up by -accessor lets a monitoring step inspect tokens without ever handling the secret token value.
Common errors in CI
"permission denied" on a self-lookup is unusual because default grants auth/token/lookup-self; if it fails the token may be expired or revoked. "bad token" means VAULT_TOKEN is empty or malformed, typically a login step that did not export the token. Looking up another token (not self) needs the auth/token/lookup capability.