Can't seal Vault, neither on CLI or with HTTP API, citing permission problems, using a token from userpass with a policy with permissions on sys/seal. However, by generating a root token it can seal normally.
The documentation at the official site mentions:
This endpoint seals the Vault. In HA mode, only an active node can be sealed. Standby nodes should be restarted to get the same effect. Requires a token with root policy or sudo capability on the path.
path "sys/seal"
{
capabilities = ["create", "sudo"]
}
Error sealing: Error making API request.
URL: PUT <HOST>/v1/sys/seal
Code: 403. Errors:
* 1 error occurred:
* permission denied
"update" capability was required.
path "sys/seal"
{
capabilities = ["create", "update", "sudo" ]
}