Created
October 6, 2020 15:30
-
-
Save abuxton/0e3a6314f24fe65f7f819c63dbb6d7b4 to your computer and use it in GitHub Desktop.
consul boostrap acl tokens example
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| cat << EOF > /tmp/bootstrap_tokens.sh | |
| #!/bin/bash | |
| export CONSUL_HTTP_TOKEN=${master_token} | |
| export CONSUL_HTTP_ADDR=http://127.0.0.1:7500 | |
| echo "Creating Consul ACL policies......" | |
| if ! consul kv get acl_bootstrap 2>/dev/null; then | |
| consul kv put acl_bootstrap 1 | |
| echo ' | |
| node_prefix "" { | |
| policy = "write" | |
| } | |
| service_prefix "" { | |
| policy = "read" | |
| } | |
| agent_prefix "" { | |
| policy = "write" | |
| }' | consul acl policy create -name consul-agent-vault -rules - | |
| echo ' | |
| node_prefix "" { | |
| policy = "write" | |
| } | |
| service_prefix "" { | |
| policy = "read" | |
| } | |
| service "consul" { | |
| policy = "write" | |
| } | |
| agent_prefix "" { | |
| policy = "write" | |
| }' | consul acl policy create -name consul-agent-server -rules - | |
| echo ' | |
| key_prefix "vault/" { | |
| policy = "write" | |
| } | |
| service "vault" { | |
| policy = "write" | |
| } | |
| session_prefix "" { | |
| policy = "write" | |
| } | |
| node_prefix "" { | |
| policy = "write" | |
| } | |
| agent_prefix "" { | |
| policy = "write" | |
| }' | consul acl policy create -name vault -rules - | |
| echo ' | |
| acl = "write" | |
| key "consul-snapshot/lock" { | |
| policy = "write" | |
| } | |
| session_prefix "" { | |
| policy = "write" | |
| } | |
| service "consul-snapshot" { | |
| policy = "write" | |
| }' | consul acl policy create -name snapshot_agent -rules - | |
| echo ' | |
| node_prefix "" { | |
| policy = "read" | |
| } | |
| service_prefix "" { | |
| policy = "read" | |
| } | |
| session_prefix "" { | |
| policy = "read" | |
| } | |
| agent_prefix "" { | |
| policy = "read" | |
| } | |
| query_prefix "" { | |
| policy = "read" | |
| } | |
| operator = "read"' | consul acl policy create -name anonymous -rules - | |
| consul acl token create -description "consul agent vault token" -policy-name consul-agent-vault -secret "${agent_vault_token}" 1>/dev/null | |
| consul acl token create -description "consul agent server token" -policy-name consul-agent-server -secret "${agent_server_token}" 1>/dev/null | |
| consul acl token create -description "vault application token" -policy-name vault -secret "${vault_app_token}" 1>/dev/null | |
| consul acl token create -description "consul snapshot agent" -policy-name snapshot_agent -secret "${snapshot_token}" 1>/dev/null | |
| consul acl token update -id anonymous -policy-name anonymous 1>/dev/null | |
| else | |
| echo "Bootstrap already completed" | |
| fi | |
| EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment