Created
September 19, 2016 14:09
-
-
Save daveadams/be6d4f99671289f374ad0af71a4424b0 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# | |
# vault-ec2-auth.sh | |
# Authenticates an EC2 instance to Hashicorp Vault | |
# | |
# configuration stored in environment variables in /etc/vault/client.conf | |
# expected configuration (defaults are selected below if none is specified): | |
# VAULT_ADDR = url of vault server | |
# VAULT_ROLE = role name to authenticate as | |
if [[ -e /etc/vault/client.conf ]]; then | |
source /etc/vault/client.conf | |
fi | |
vault_addr="${VAULT_ADDR:-https://default.vault.url}" | |
die() { echo "ERROR: $@" >&2; exit 1; } | |
[[ $( id -u ) == 0 ]] \ | |
|| die "You must be root to authenticate this instance" | |
# fetch signed identity document, AMI ID, and IAM profile name from meta-data service | |
pkcs7=$( curl -Ss http://169.254.169.254/latest/dynamic/instance-identity/pkcs7 |paste -s -d '' ) | |
ami=$( curl -Ss http://169.254.169.254/latest/meta-data/ami-id ) | |
iam_profile=$( curl -s http://169.254.169.254/latest/meta-data/iam/info |jq -r .InstanceProfileArn |cut -d/ -f2- ) | |
# generate a new nonce unless one already exists | |
nonce_file=/etc/vault/ec2-auth-nonce | |
nonce= | |
if [[ -e $nonce_file ]]; then | |
nonce=$( <"$nonce_file" ) | |
else | |
nonce=$( openssl rand -base64 36 ) | |
fi | |
# prefer VAULT_ROLE, then instance profile name, then AMI ID | |
role_name="${VAULT_ROLE:-${iam_profile:-${ami}}}" | |
result=$( | |
curl -Ss -XPOST "${vault_addr}/v1/auth/aws-ec2/login" \ | |
-d '{"role":"'"$role_name"'","pkcs7":"'"$pkcs7"'","nonce":"'"$nonce"'"}"' | |
) | |
token=$( jq -r .auth.client_token <<< "$result" ) | |
accessor=$( jq -r .auth.accessor <<< "$result" ) | |
if [[ -z $token ]] || [[ $token == null ]]; then | |
jq . <<< "$result" >&2 | |
die "Could not authenticate" | |
fi | |
# write nonce to disk if it didn't already exist | |
if [[ ! -e $nonce_file ]]; then | |
mkdir -p "$( dirname "$nonce_file" )" | |
touch "$nonce_file" | |
chown root:root "$nonce_file" | |
chmod 0600 "$nonce_file" | |
echo "$nonce" > "$nonce_file" | |
chmod 0400 "$nonce_file" | |
fi | |
# write token to tmpfs, readable only to vault-users group | |
touch /var/run/vault-instance-token | |
chown root:vault-users /var/run/vault-instance-token | |
chmod 0640 /var/run/vault-instance-token | |
echo "$token" > /var/run/vault-instance-token | |
# write token accessor to tmpfs, world readable is ok | |
echo "$accessor" > /var/run/vault-token-accessor | |
chmod 0644 /var/run/vault-token-accessor |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment