Created
September 28, 2017 16:38
-
-
Save awilliams/bf3b6eaa279b1c121fc3ccf31104c8f4 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| set -eu | |
| # Proof-of-concept script to demonstrate using an AppRole | |
| # generated token for the kubernetes-vault controller. | |
| # https://github.com/Boostport/kubernetes-vault | |
| # Expects vault local development server to be running. | |
| # Launch with: | |
| # vault server -dev | |
| # Use default development address | |
| export VAULT_ADDR='http://127.0.0.1:8200' | |
| CONTROLLER_APPROLE=controller | |
| CONTROLLER_POLICY=controller-policy | |
| USER_APPROLE=my-app | |
| ######################## | |
| # Ensure vault is running and setup correctly | |
| ######################## | |
| # Ensure local vault server is running | |
| vault status > /dev/null || (echo "Vault server not running. Run locally: vault server -dev" && exit 1) | |
| # Enable "approle" auth backend | |
| if ! vault read /sys/auth | grep -q "approle/"; then | |
| vault auth-enable approle > /dev/null | |
| fi | |
| ######################## | |
| # Setup user's AppRole | |
| ######################## | |
| # Create the app AppRole that allows for | |
| # short-lived, one-time use secret ids. | |
| # Tokens will have a 6h refresh interval. | |
| vault write auth/approle/role/${USER_APPROLE} \ | |
| period=6h \ | |
| secret_id_ttl=90s \ | |
| secret_id_num_uses=1 \ | |
| > /dev/null | |
| ######################## | |
| # Setup controller's policy and AppRole | |
| ######################## | |
| # Create policy for controller tokens that ONLY allows | |
| # generating secret ids from the user's AppRole. | |
| vault policy-write ${CONTROLLER_POLICY} - >/dev/null <<EOF | |
| path "auth/approle/role/${USER_APPROLE}/secret-id" { | |
| capabilities = ["update"] | |
| } | |
| EOF | |
| # Create AppRole with the above admin policy. Tokens will | |
| # need to be refreshed after 6hrs. | |
| vault write auth/approle/role/${CONTROLLER_APPROLE} \ | |
| policies=${CONTROLLER_POLICY} \ | |
| period=6h \ | |
| > /dev/null | |
| ######################## | |
| # Generate controller's token | |
| ######################## | |
| # Fetch the role and secret id's from the new AppRole. | |
| # Then generate a token from this AppRole, which should only be used | |
| # by the controller for generating secret ids. | |
| CONTROLLER_ROLE_ID=$(vault read -field=role_id auth/approle/role/${CONTROLLER_APPROLE}/role-id) | |
| CONTROLLER_SECRET_ID=$(vault write -field=secret_id -f auth/approle/role/${CONTROLLER_APPROLE}/secret-id) | |
| CONTROLLER_TOKEN=$(vault write -field=token auth/approle/login role_id=${CONTROLLER_ROLE_ID} secret_id=${CONTROLLER_SECRET_ID}) | |
| echo "Controller token: ${CONTROLLER_TOKEN}" | |
| ######################## | |
| # Show controller's token can fetch secret_id for $USER_APPROLE | |
| ######################## | |
| # Fetch secret ID for user's AppRole using the controller's token. | |
| # This would be the job of the vault controller. | |
| echo "'${USER_APPROLE}' AppRole secret_id:" | |
| VAULT_TOKEN=${CONTROLLER_TOKEN} vault write -format=json -f auth/approle/role/${USER_APPROLE}/secret-id | |
| ######################## | |
| # Show how controller's token can be renewed | |
| ######################## | |
| # Print token information | |
| echo "Token lookup:" | |
| vault token-lookup -format=json ${CONTROLLER_TOKEN} | |
| echo "Token renew:" | |
| vault token-renew -format=json ${CONTROLLER_TOKEN} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment