hashicorp · pmmukh · Sep 21, 2021 · Sep 15, 2021 · Sep 15, 2021 · Sep 20, 2021
diff --git a/changelog/12565.txt b/changelog/12565.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+core/token: Return the token_no_default_policy config on token role read if set
+```
diff --git a/vault/token_store.go b/vault/token_store.go
@@ -3208,6 +3208,10 @@ func (ts *TokenStore) tokenStoreRoleRead(ctx context.Context, req *logical.Reque
 		resp.Data["token_num_uses"] = role.TokenNumUses
 	}
 
+	if role.TokenNoDefaultPolicy {
+		resp.Data["token_no_default_policy"] = true
+	}
+
 	return resp, nil
 }
 

diff --git a/vault/token_store_test.go b/vault/token_store_test.go
@@ -3211,12 +3211,13 @@ func TestTokenStore_RoleCRUD(t *testing.T) {
 	// automatically due to the existence check
 	req.Operation = logical.CreateOperation
 	req.Data = map[string]interface{}{
-		"period":           "79h",
-		"allowed_policies": "test3",
-		"path_suffix":      "happenin",
-		"renewable":        false,
-		"explicit_max_ttl": "80h",
-		"token_num_uses":   0,
+		"period":                  "79h",
+		"allowed_policies":        "test3",
+		"path_suffix":             "happenin",
+		"renewable":               false,
+		"explicit_max_ttl":        "80h",
+		"token_num_uses":          0,
+		"token_no_default_policy": true,
 	}
 
 	resp, err = core.HandleRequest(namespace.RootContext(nil), req)
@@ -3263,6 +3264,10 @@ func TestTokenStore_RoleCRUD(t *testing.T) {
 	}
 	delete(resp.Data, "token_bound_cidrs")
 
+	if resp.Data["token_no_default_policy"].(bool) != true {
+		t.Fatal("unexpected no_default_policy config")
+	}
+	delete(resp.Data, "token_no_default_policy")
 	if diff := deep.Equal(expected, resp.Data); diff != nil {
 		t.Fatal(diff)
 	}
@@ -3313,15 +3318,21 @@ func TestTokenStore_RoleCRUD(t *testing.T) {
 	}
 	delete(resp.Data, "token_bound_cidrs")
 
+	if resp.Data["token_no_default_policy"].(bool) != true {
+		t.Fatal("unexpected no_default_policy config")
+	}
+	delete(resp.Data, "token_no_default_policy")
+
 	if diff := deep.Equal(expected, resp.Data); diff != nil {
 		t.Fatal(diff)
 	}
 
 	// Update path_suffix and bound_cidrs with empty values
 	req.Operation = logical.CreateOperation
 	req.Data = map[string]interface{}{
-		"path_suffix": "",
-		"bound_cidrs": []string{},
+		"path_suffix":             "",
+		"bound_cidrs":             []string{},
+		"token_no_default_policy": false,
 	}
 	resp, err = core.HandleRequest(namespace.RootContext(nil), req)
 	if err != nil || (resp != nil && resp.IsError()) {