Skip to content

Instantly share code, notes, and snippets.

@alexanderankin

alexanderankin/vault-setup.sh

Last active March 10, 2024 21:40
Show Gist options
  • Save alexanderankin/76972bffc936affb39b8e8b579c6b690 to your computer and use it in GitHub Desktop.
Save alexanderankin/76972bffc936affb39b8e8b579c6b690 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
vault-setup.sh
#!/usr/bin/env bash
if [[ "$0" != "$BASH_SOURCE" ]]; then echo "no sourcing">&2; return 1; fi;
set -eu -o pipefail
# https://unix.stackexchange.com/a/39660
err_report() { echo "Error on line $1 from caller $(caller)"; }
trap 'err_report $LINENO' ERR
if [[ "$#" == 1 ]] ; then
case "$1" in
"nuke")
docker rm -f vault && sudo rm -rf vault-file && mkdir vault-file
exit 0
;;
"build")
;;
*)
echo 'only understand nuke or build'>&2;
exit 2;
;;
esac
else
echo 'need a command'
exit 1
fi;
mkdir -p ./vault-file;
docker run \
-d --log-opt max-size=10m --log-opt max-file=10 --restart=always \
--name vault \
-v ./vault-file:/vault/file \
--cap-add=IPC_LOCK -e 'VAULT_LOCAL_CONFIG={
"storage": {"file": {"path": "/vault/file"}},
"listener": [{"tcp": { "address": "0.0.0.0:8200", "tls_disable": true}}],
"default_lease_ttl": "168h", "max_lease_ttl": "720h", "ui": true
}' \
-p 127.0.0.1:${PORT:-8200}:8200 \
hashicorp/vault server
while ! nc localhost 8200 -z -w 1; do echo "no vault yet"; ((c++)) && ((c==10)) && break; sleep 1; done;
sleep 3;
json="$( \
docker run \
--rm --name vault-cli-tmp \
--cap-add IPC_LOCK --network host -e "VAULT_ADDR=${VAULT_ADDR:-http://localhost:8200}" \
hashicorp/vault operator init -format=json -key-shares=1 -key-threshold=1 \
)";
root_token=$(echo "$json" | jq -r .root_token);
unseal_key_b64=$(echo "$json" | jq -r .unseal_keys_b64[0]);
echo the root_token is $root_token
echo unseal_key_b64 is $unseal_key_b64
docker run \
--rm --name vault-cli-tmp \
--cap-add IPC_LOCK --network host -e "VAULT_ADDR=${VAULT_ADDR:-http://localhost:8200}" \
hashicorp/vault operator unseal -format=json $unseal_key_b64;
echo 'path "*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] }' | \
docker run \
-i --rm --name vault-cli-tmp \
--cap-add IPC_LOCK --network host -e "VAULT_ADDR=${VAULT_ADDR:-http://localhost:8200}" \
-e VAULT_TOKEN=$root_token \
hashicorp/vault policy write admin -;
docker run \
-i --rm --name vault-cli-tmp \
--cap-add IPC_LOCK --network host -e "VAULT_ADDR=${VAULT_ADDR:-http://localhost:8200}" \
-e VAULT_TOKEN=$root_token \
hashicorp/vault auth enable userpass;
for user in admin da ng ; do
password="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9_#' | head -c 20 || true)"
docker run \
--rm --name vault-cli-tmp \
--cap-add IPC_LOCK --network host -e "VAULT_ADDR=${VAULT_ADDR:-http://localhost:8200}" \
-e VAULT_TOKEN=$root_token \
hashicorp/vault write -format=json auth/userpass/users/$user password=$password policies=admin;
echo user $user has password $password
done
@alexanderankin
Copy link
Author

see also https://gist.github.com/Mishco/b47b341f852c5934cf736870f0b5da81

@alexanderankin
Copy link
Author

example of a vault policy which allows for access to a subpath on the engine "kv", write access to a subfolder, and allows to change own password in the UI

path "/kv/metadata" { capabilities = [ "list" ] }
path "/kv/metadata/your-feature*" { capabilities = [ "list", "read" ] }
path "/kv/data/your-feature*" { capabilities = [ "list", "read" ] }

path "/kv/metadata" { capabilities = [ "list" ] }
path "/kv/metadata/your-feature/dev*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] }
path "/kv/data/your-feature/dev*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] }

path "sys/auth*" { capabilities = [ "list", "read" ] }
path "auth*" { capabilities = [ "read" ] }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment