| #!/usr/bin/env python3 | |
| import base64 | |
| import json | |
| import requests | |
| from aws_requests_auth.boto_utils import BotoAWSRequestsAuth | |
| """ | |
| This code will connect from an ECS container to a remote Hashicorp Vault server | |
| and authenticate using the 'iam' auth_type for the AWS auth backend. |
These are python 2 and 3 snippets showing how to generate headers to authenticate with HashiCorp's Vault using the AWS authentication method. There's also a Ruby implementation which uses version 3 of the AWS SDK for Ruby.
The python scripts look for credentials in the
default boto3 locations;
if you need to supply custom credentials (such as from an AssumeRole call), you would use the
botocore.session.set_credentials
method before calling create_client.
| # start vault in dev mode | |
| VAULT_UI=true vault server -dev -dev-root-token-id="password" | |
| # write some secrets for our example usage | |
| curl --request POST \ | |
| --silent \ | |
| --header "X-Vault-Token: password" \ | |
| --header "Content-Type: application/json" \ | |
| --data '{ "options": { "cas": 0 }, "data": { "username": "administrator", "password": "hunter2" } }' \ | |
| http://127.0.0.1:8200/v1/secret/data/dev | jq '.' |
| #!/usr/bin/env sh | |
| docker-machine rm -f rancher host1 | |
| docker-machine create rancher --driver virtualbox --virtualbox-cpu-count "-1" --virtualbox-disk-size "8000" --virtualbox-memory "512" --virtualbox-boot2docker-url=https://github.com/boot2docker/boot2docker/releases/download/v1.11.2/boot2docker.iso | |
| docker-machine scp scripts/rancher-net.sh rancher:. | |
| docker-machine ssh rancher sh rancher-net.sh | |
| docker-machine regenerate-certs rancher -f | |
| eval $(docker-machine env rancher) | |
| docker-compose up -d | |
| eval $(docker-machine env -u) | |
| docker-machine create host1 --driver virtualbox --virtualbox-cpu-count "-1" --virtualbox-disk-size "54000" --virtualbox-memory "2048" --virtualbox-boot2docker-url=https://github.com/boot2docker/boot2docker/releases/download/v1.11.2/boot2docker.iso |
| --- | |
| apiVersion: v1 | |
| kind: ConfigMap | |
| metadata: | |
| name: concourse-keys | |
| data: | |
| authorized_worker_keys: |+ | |
| ssh-rsa {{public_key_text}} worker-key | |
| session_signing_key: |+ | |
| -----BEGIN RSA PRIVATE KEY----- |
| #!/usr/bin/env bash | |
| function echob() { | |
| echo -e "\033[1m$1\033[0m" | |
| } | |
| function delete_user() { | |
| local username="$1" | |
| echo "deleting ${username}" | |
| aws iam delete-access-key --user-name ${username} --access-key-id $(jq -r .AccessKey.AccessKeyId ${username}-credentials.json) | |
| aws iam delete-user --user-name ${username} |
| vault mount pki | |
| vault mount -path=pki1 pki | |
| vault mount -path=pki2 pki | |
| vault mount -path=pki3 pki | |
| vault mount-tune -max-lease-ttl=87600h pki | |
| vault mount-tune -max-lease-ttl=87600h pki1 | |
| vault mount-tune -max-lease-ttl=87600h pki2 | |
| vault mount-tune -max-lease-ttl=87600h pki3 | |
| vault write pki/root/generate/internal common_name="Vault Testing Root Authority" ttl=87600h |
| #!/usr/bin/env bash | |
| set -eu | |
| # Proof-of-concept script to demonstrate using an AppRole | |
| # generated token for the kubernetes-vault controller. | |
| # https://github.com/Boostport/kubernetes-vault | |
| # Expects vault local development server to be running. | |
| # Launch with: | |
| # vault server -dev |
| apiVersion: v1 | |
| kind: ConfigMap | |
| metadata: | |
| name: logstash-secrets | |
| data: | |
| logstash.secrets: | | |
| ELASTICSEARCH_USERNAME=elasticsearch/production#username | |
| ELASTICSEARCH_PASSWORD=elasticsearch/production#password | |
| --- | |
| apiVersion: v1 |
| #!/bin/bash | |
| # | |
| # vault-ec2-auth.sh | |
| # Authenticates an EC2 instance to Hashicorp Vault | |
| # | |
| # configuration stored in environment variables in /etc/vault/client.conf | |
| # expected configuration (defaults are selected below if none is specified): | |
| # VAULT_ADDR = url of vault server | |
| # VAULT_ROLE = role name to authenticate as |