Vault
token capabilities
The token capabilities
command fetches the capabilities of a token for a given
path.
If you pass a token value as an argument, this command uses the
/sys/capabilities
endpoint and permission. In the absence of an explicit token
value, this command uses the /sys/capabilities-self
endpoint and permission
with the locally authenticated token.
Examples
List capabilities for the local token on the secret/foo
path:
$ vault token capabilities secret/foo
read
The output shows the local token has read permission on the secret/foo
path.
List capabilities for a token (hvs.CAESI...WtiSW5mWUY
) on the cubbyhole/foo
path:
$ vault token capabilities hvs.CAESI...WtiSW5mWUY database/creds/readonly
deny
The output shows the token (hvs.CAESI...WtiSW5mWUY
) has no permission to
operate on the cubbyhole/foo
path.
Usage
The following flags are available in addition to the standard set of flags included on all commands.
Output options
-format
(string: "table")
- Print the output in the given format. Valid formats are "table", "json", or "yaml". This can also be specified via theVAULT_FORMAT
environment variable.