From 12f58773fe347f23371ae7f2cdd1737d69ef021e Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeffrey.mitchell@gmail.com>
Date: Wed, 9 Mar 2016 10:42:04 -0500
Subject: [PATCH] Use role's allowed policies if none are given

---
 vault/token_store.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/vault/token_store.go b/vault/token_store.go
index 049f5ad3ba..fc3e764d51 100644
--- a/vault/token_store.go
+++ b/vault/token_store.go
@@ -749,8 +749,12 @@ func (ts *TokenStore) handleCreateCommon(
 	// If we have a role, we don't even consider parent policies; the role
 	// allowed policies trumps all
 	case role != nil:
-		if !strListSubset(role.AllowedPolicies, data.Policies) {
-			return logical.ErrorResponse("token policies must be subset of the role's allowed policies"), logical.ErrInvalidRequest
+		if len(data.Policies) == 0 {
+			data.Policies = role.AllowedPolicies
+		} else {
+			if !strListSubset(role.AllowedPolicies, data.Policies) {
+				return logical.ErrorResponse("token policies must be subset of the role's allowed policies"), logical.ErrInvalidRequest
+			}
 		}
 
 	case len(data.Policies) == 0: