hashicorp · im2nguyen · Nov 18, 2024 · Nov 19, 2024 · Nov 19, 2024 · Nov 19, 2024
@@ -8,43 +8,77 @@ description: |-
 
 # token capabilities
 
-The `token capabilities` command fetches the capabilities of a token for a given
-path.
+List the capabilities of a token.
 
-If you pass a token value as an argument, this command uses the
-`/sys/capabilities` endpoint and permission. In the absence of an explicit token
-value, this command uses the `/sys/capabilities-self` endpoint and permission
-with the locally authenticated token.
+<CodeBlockConfig hideClipboard>
+
+```shell-session
+$ vault token capabilities [flags] <token> <path>
+
+$ vault token capabilities [-help | -h]
+```
+
+</CodeBlockConfig>
+
+## Description
+
+`token capabilities` lists the capabilities of a token for a given path.
+
+If you provide a token value as an argument, this command uses the
+`/sys/capabilities` endpoint and permission. 
+
+If you do not provide an explicit token value, this command uses the 
+`/sys/capabilities-self` endpoint and permission with the locally authenticated 
+token.
+
+<Tip title="Related API endpoints">
+
+  - QueryTokenCapabilities - [`POST:/sys/capabilities`](/vault/api-docs/system/capabilities)
+  - QueryTokenCapabilitiesSelf - [`POST:/sys/capabilities-self`](/vault/api-docs/system/capabilities-self)
+  - QueryTokenCapabilitiesAccessor - [`POST:/sys/capabilities-accessor`](/vault/api-docs/system/capabilities-accessor)
+
+</Tip>
+
+## Command arguments
+
+<br />
+
+@include 'cli/token/args/token.mdx'
+
+<br /><hr /><br />
+
+@include 'cli/token/args/path.mdx'
+
+## Command options
+
+None.
+
+## Command flags
+
+None.
+
+## Global flags
+
+<br />
+
+
+@include 'cli/standard-settings/all-standard-flags.mdx'
 
 ## Examples
 
-List capabilities for the local token on the `secret/foo` path:
+List capabilities for the local token on the `secret/foo` path. The output shows 
+the local token has read permission on the `secret/foo` path.
 
 ```shell-session
 $ vault token capabilities secret/foo
 read
 ```
 
-The output shows the local token has read permission on the `secret/foo` path.
-
 List capabilities for a token (`hvs.CAESI...WtiSW5mWUY`) on the `cubbyhole/foo`
-path:
+path. The output shows the token (`hvs.CAESI...WtiSW5mWUY`) has no permission to
+operate on the `cubbyhole/foo` path.
 
 ```shell-session
 $ vault token capabilities hvs.CAESI...WtiSW5mWUY database/creds/readonly
 deny
 ```
-
-The output shows the token (`hvs.CAESI...WtiSW5mWUY`) has no permission to
-operate on the `cubbyhole/foo` path.
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/vault/docs/commands) included on all commands.
-
-### Output options
-
-- `-format` `(string: "table")` - Print the output in the given format. Valid
-  formats are "table", "json", or "yaml". This can also be specified via the
-  `VAULT_FORMAT` environment variable.
@@ -11,23 +11,130 @@ description: |-
 
 # token create
 
-The `token create` command creates a new token that can be used for
-authentication. This token will be created as a child of the currently
-authenticated token. The generated token will inherit all policies and
-permissions of the currently authenticated token unless you explicitly define a
-subset list policies to assign to the token.
+Creates a new token that you can use to authenticate to Vault.
 
-A ttl can also be associated with the token. If a ttl is not associated with the
-token, then it cannot be renewed. If a ttl is associated with the token, it will
-expire after that amount of time unless it is renewed.
+<CodeBlockConfig hideClipboard>
 
-Metadata associated with the token (specified with `-metadata`) is written to
-the audit log when the token is used.
+```shell-session
+$ vault token create [flags]
+
+$ vault token create [-help | -h]
+```
+
+</CodeBlockConfig>
+
+## Description
+
+`token create` creates a new token that you can use to authenticate to Vault. 
+Vault will create this token as a child of the currently authenticated token. 
+The generated token will inherit all policies and permissions of the currently 
+authenticated token unless you explicitly define a subset list policies to 
+assign to the token.
+
+You can also associate a TTL with the token. If you do specify a TTL, the token 
+will expire after that amount of time unless it is renewed. Otherwise, if you 
+do not specify a TTL, the token cannot be renewed.
+
+Vault writes metadata associated with the token (specified with `-metadata`) 
+to the audit log when the token is used.
 
 If a role is specified, the role may override parameters specified here.
 
+<Tip title="Related API endpoints">
+
+  - CreateToken - [`POST:/auth/token/create`](/vault/api-docs/auth/token#create-token)
+  - CreateTokenOrphan - [`POST:/auth/token/create-orphan`](/vault/api-docs/auth/token#create-token)
+  - CreateTokenWithRole - [`POST:/auth/token/create/:role_name`](/vault/api-docs/auth/token#create-token)
+
+</Tip>
+
+
+## Command arguments
+
+None.
+
+## Command options
+
+None.
+
+## Command flags
+
+@include 'cli/token/flags/display-name.mdx'
+
+<br /><hr /><br />
+
+@include 'cli/token/flags/entity-alias.mdx'
+
+<br /><hr /><br />
+
+@include 'cli/token/flags/explicit-max-ttl.mdx' 
+
+<br /><hr /><br />
+
+@include 'cli/shared/flags/field.mdx'
+
+<br /><hr /><br />
+
+@include 'cli/token/flags/id.mdx' 
+
+<br /><hr /><br />
+
+@include 'cli/token/flags/metadata.mdx'
+
+<br /><hr /><br />
+
+@include 'cli/token/flags/no-default-policy.mdx'
+
+<br /><hr /><br />
+
+@include 'cli/token/flags/orphan.mdx'
+
+<br /><hr /><br />
+
+@include 'cli/token/flags/period.mdx'
+
+<br /><hr /><br />
+
+@include 'cli/token/flags/policy.mdx'
+
+<br /><hr /><br />
+
+@include 'cli/token/flags/renewable.mdx'
+
+<br /><hr /><br />
+
+@include 'cli/token/flags/role.mdx'
+
+<br /><hr /><br />
+
+@include 'cli/token/flags/ttl.mdx'
+
+<br /><hr /><br />
+
+@include 'cli/token/flags/type.mdx'
+
+<br /><hr /><br />
+
+@include 'cli/token/flags/use-limit.mdx'
+
+<br /><hr /><br />
+
+@include 'cli/token/flags/wrap-ttl.mdx'
+
+## Global flags
+
+<br />
+
+@include 'cli/standard-settings/all-standard-flags.mdx'
+
 ## Examples
 
+Create a new token:
+
+```shell-session
+$ vault token create
+```
+
 Create a token attached to specific policies:
 
 ```shell-session
@@ -52,78 +159,4 @@ token_accessor     4cd9177c-034b-a004-c62d-54bc56c0e9bd
 token_duration     30m
 token_renewable    true
 token_policies     [my-policy]
-```
-
-## Usage
-
-The following flags are available in addition to the [standard set of
-flags](/vault/docs/commands) included on all commands.
-
-### Output options
-
-- `-field` `(string: "")` - Print only the field with the given name. Specifying
-  this option will take precedence over other formatting directives. The result
-  will not have a trailing newline making it ideal for piping to other processes.
-
-- `-format` `(string: "table")` - Print the output in the given format. Valid
-  formats are "table", "json", or "yaml". This can also be specified via the
-  `VAULT_FORMAT` environment variable.
-
-### Command options
-
-- `-display-name` `(string: "")` - Name to associate with this token. This is a
-  non-sensitive value that can be used to help identify created secrets (e.g.
-  prefixes).
-
-- `-entity-alias`  `(string: "")` - Name of the entity alias to associate with
-  during token creation. Only works in combination with -role argument and used
-  entity alias must be listed in allowed_entity_aliases. If this has been
-  specified, the entity will not be inherited from the parent.
-
-- `-explicit-max-ttl` `(duration: "")` - Explicit maximum lifetime for the
-  token. Unlike normal TTLs, the maximum TTL is a hard limit and cannot be
-  exceeded. Uses [duration format strings](/vault/docs/concepts/duration-format).
-
-- `-id` `(string: "")` - Value for the token. By default, this is an
-  auto-generated value. Specifying this value requires sudo permissions.
-
-- `-metadata` `(k=v: "")` - Arbitrary key=value metadata to associate with the
-  token. This metadata will show in the audit log when the token is used. This
-  can be specified multiple times to add multiple pieces of metadata.
-
-- `-no-default-policy` `(bool: false)` - Detach the "default" policy from the
-  policy set for this token.
-
-- `-orphan` `(bool: false)` - Create the token with no parent. This prevents the
-  token from being revoked when the token which created it expires. Setting this
-  value requires sudo permissions.
-
-- `-period` `(duration: "")` - If specified, every renewal will use the given
-  period. Periodic tokens do not expire as long as they are actively being
-  renewed (unless `-explicit-max-ttl` is also provided). Setting this value
-  requires sudo permissions. Uses [duration format strings](/vault/docs/concepts/duration-format).
-
-- `-policy` `(string: "")` - Name of a policy to associate with this token. This
-  can be specified multiple times to attach multiple policies.
-
-- `-renewable` `(bool: true)` - Allow the token to be renewed up to it's maximum
-  TTL.
-
-- `-role` `(string: "")` - Name of the role to create the token against.
-  Specifying -role may override other arguments. The locally authenticated Vault
-  token must have permission for `auth/token/create/<role>`.
-
-- `-ttl` `(duration: "")` - Initial TTL to associate with the token. Token
-  renewals may be able to extend beyond this value, depending on the configured
-  maximumTTLs. Uses [duration format strings](/vault/docs/concepts/duration-format).
-
-- `-type` `(string: "service")` - The type of token to create. Can be "service" or "batch".
-
-- `-use-limit` `(int: 0)` - Number of times this token can be used. After the
-  last use, the token is automatically revoked. By default, tokens can be used
-  an unlimited number of times until their expiration.
-
-- `-wrap-ttl` `(duration: "")` -  Wraps the response in a cubbyhole token with the
-  requested TTL. The response is available via the "vault unwrap" command. The TTL
-  is specified as a numeric string with suffix like "30s" or "5m". This can also be
-  specified via the `VAULT_WRAP_TTL` environment variable.
+```