Bash shell script to check seal status for local vault server and attempt to unseal using keys secured in vault secret store. Supports HA Vault clusters with TLS with unseal keys stored as secrets in vault (see code). Relies on registered service vault.service.consul, in place DNS configuration, and a single unsealed vault instance in your clust…

vaultsealmanager.sh

#!/bin/bash

export vault=/usr/local/bin/vault
export VAULT_TOKEN=$(cat /root/.vault-token)
vault_cacert='-ca-cert=/path/to/your/ca.pem'
local_vault="-address=https://$(hostname -f):8200"
unsealed_vault="-address=https://$(getent hosts $(dig +short vault.service.consul  | tail -n 1) | awk '{ print $2 }'):8200"
leader_vault="-address=https://$($vault status $vault_cacert $unsealed_vault 2> /dev/null | grep Leader | awk '{ print $2 }' | sed 's/^http\(\|s\):\/\///g'):8200"
vault_read="$vault read $vault_cacert $leader_vault"
vault_unseal="$vault unseal $vault_cacert $local_vault"
vault_status="$vault status $vault_cacert $local_vault"


function check_unsealed(){
    $vault_status &> /dev/null
    if [[ ! $? == "0" ]]
    then
        echo "VaultSealManager-[$(date +'%X %x')]-[ERROR]: Local Vault instance was unsuccessfully unsealed (the instance is still sealed)."
        exit 1
    fi
}

function get_keys(){
    vault_key_1=$($vault_read -field=value secret/vault/keys/1 2> /dev/null)
    vault_key_2=$($vault_read -field=value secret/vault/keys/2 2> /dev/null)
    vault_key_3=$($vault_read -field=value secret/vault/keys/3 2> /dev/null)
    vault_key_4=$($vault_read -field=value secret/vault/keys/4 2> /dev/null)
    vault_key_5=$($vault_read -field=value secret/vault/keys/5 2> /dev/null)
    if [[ -z "$vault_key_1" ]] || [[ -z "$vault_key_2" ]] || [[ -z "$vault_key_3" ]] || [[ -z "$vault_key_4" ]] || [[ -z "$vault_key_5" ]]
    then
        echo "VaultSealManager-[$(date +'%X %x')]-[ERROR]: Error retrieving unseal keys from Vault secret store!"
        exit 1
    fi
}

function unseal_vault(){
    $vault_unseal $vault_key_1 &> /dev/null;
    status_1=$?
    $vault_unseal $vault_key_2 &> /dev/null;
    status_2=$?
    $vault_unseal $vault_key_3 &> /dev/null;
    status_3=$?
    # Only need three to unseal
    #$vault_unseal $vault_key_4 &> /dev/null;
    #status_4=$?
    #$vault_unseal $vault_key_5 &> /dev/null;
    #status_5=$?
    if [[ ! $status_1 == "0" ]] || [[ ! $status_2 == "0" ]] || [[ ! $status_3 == "0" ]]    # || [[ ! "status_4" == "0" ]] || [[ ! "status_5" == "0" ]]
    then
        echo "VaultSealManager-[$(date +'%X %x')]-[ERROR]: Error unsealing local Vault instance!"
        exit 1
    fi
}

function main(){
    $vault_status &> /dev/null
    if [[ $? == "0" ]]
    then
        echo "VaultSealManager-[$(date +'%X %x')]-[IFNO]: Local Vault instance is already unsealed!"
        exit 0
    fi
    if [[ -z "$unsealed_vault" ]]
    then
        echo "VaultSealManager-[$(date +'%X %x')]-[ERROR]: Consul service returned no unsealed Vault instances!"
        exit 1
    else
        echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Consul service returned unsealed Vault instance..."
        echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Attempting to get secured keys from Vault secret store..."
        get_keys
        echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Got unseal keys successfull..."
        echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Attempting to unseal local Vault instance with acquired unseal keys..."
        unseal_vault
        echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Checking local seal status..."
        check_unsealed
        echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Local Vault instance is now unsealed!"
    fi
}

main
exit 0

It would be great if you write some comments on how this code is actually working .
I was thinking of adding one more parameter to this , i.e Sending alert mail whenever the vault gets sealed .
Can that be done here ? If yes kindly help me with that .

@divvy19 I would advise against storing the root token on disk, which is done here. See

export VAULT_TOKEN=$(cat /root/.vault-token)

But, if this is not an issue... To summarize: It reads from secret storage (from other Vault instances in the cluster) using root token, to obtain the unseal keys, which are used to unseal the local Vault.

Then, again, you could store the unseal keys on disk, which basically yields the same security in the attack model.