emilymye · November 20, 2017 20:52
diff --git a/gce_demo_startup_script.sh b/gce_demo_startup_script.sh
 # This assumes you have some role that can read some secret at secret/foo.
 export VAULT_ADDR="http://my_vault_address.com"
 export GCE_ROLE = "my-gce-role"

 apt-get update
 apt-get install -y jq


 # Curl out to metadata server to get token
 JWT=$(curl -H "Metadata-Flavor: Google" -G \
        --data-urlencode "audience=http://vault/$GCE_ROLE"\
        --data-urlencode "format=full" \
        http://metadata/computeMetadata/v1/instance/service-accounts/default/identity)

 # Write to a file.
 cat <<EOF > payload.json
 {
    "role": $GCE_ROLE,
    "jwt": "$JWT"
 }
 EOF

 # Authenticate against Vault and extract auth token.
 VAULT_TOKEN="$(curl -s -X POST -d @payload.json $VAULT_ADDR/v1/auth/gcp/login | jq ".auth.client_token" |  tr -d '"' )"

 # DON'T DO THIS IN PROD
 echo $VAULT_TOKEN 
 echo "Secret Foo is: $(curl -H "X-Vault-Token:$VAULT_TOKEN" $VAULT_ADDR/v1/secret/foo)"
diff --git a/iam_demo.sh b/iam_demo.sh
 #! /bin/bash

 # PARAMS
 ROLE="my-iam-role"
 GOOGLE_PROJECT="my_google_project" 
 SERVICE_ACCOUNT="my_service_account@my_google_project.iam.gserviceaccount.com"
 export VAULT_ADDR="http://myvaultserver.com"

 # Generate JWT
 NOW=$(date -d "10 minutes" +%s)
 cat <<EOF > input.json
 {
 	"sub": "$SERVICE_ACCOUNT",
 	"aud": "vault/$ROLE",
 	"exp": $NOW
 }
 EOF

 echo "Created input.json JWT Claims:"
 cat input.json
 echo


 # Sign JWT
 echo "================================="
 echo "RUNNING:"
 echo "gcloud beta iam service-accounts sign-jwt"
 echo "	input.json out.jwt --iam-account=$SERVICE_ACCOUNT"
 echo "================================="

 gcloud beta iam service-accounts sign-jwt \
 	input.json out.jwt --iam-account=$SERVICE_ACCOUNT

 # Authenticate with Vault
 echo "================================="
 echo "RUN:"
 echo "vault write auth/gcp/login role=my-iam-role [email protected]"
 echo "================================="
 vault write auth/gcp/login role=my-iam-role [email protected]

 # CLEANUP
 rm -rf input.json out.jwt
diff --git a/server_setup.sh b/server_setup.sh

 # Start the server
 vault server --config="my-vault-config.hcl"

 # ===========
 # Do unseal, init, etc
 # ===========
 ...

 # Enable the auth backend
 vault auth-enable gcp

 # Add credentials with read-permission for IAM/GCE:
 # Permissions: iam.serviceAccounts.get, iam.serviceAccountKeys.get, 
 #              compute.instances.get, compute.instanceGroups.listInstances
 vault write auth/gcp/config credentials=@path/to/creds.json 

 # Write roles. There are many other fields like ttl, period, etc that you can set so
 # feel free to do so and look at docs. 
 # https://www.vaultproject.io/docs/auth/gcp.html
 vault write auth/gcp/roles/my-iam-role \
  type="iam" \
  project_id=$GOOGLE_PROJECT \
  policies = "my-policy" \
  bound_service_accounts="$SERVICE_ACCOUNT, ..."
  
 vault write auth/gcp/roles/my-iam-role \
  type="gce" \
  project_id=$GOOGLE_PROJECT \
  bound_instance_group="my-instance-group" \
  policies = "my-policy"
	# This assumes you have some role that can read some secret at secret/foo.
	export VAULT_ADDR="http://my_vault_address.com"
	export GCE_ROLE = "my-gce-role"

	apt-get update
	apt-get install -y jq


	# Curl out to metadata server to get token
	JWT=$(curl -H "Metadata-Flavor: Google" -G \
	--data-urlencode "audience=http://vault/$GCE_ROLE"\
	--data-urlencode "format=full" \
	http://metadata/computeMetadata/v1/instance/service-accounts/default/identity)

	# Write to a file.
	cat <<EOF > payload.json
	{
	"role": $GCE_ROLE,
	"jwt": "$JWT"
	}
	EOF

	# Authenticate against Vault and extract auth token.
	VAULT_TOKEN="$(curl -s -X POST -d @payload.json $VAULT_ADDR/v1/auth/gcp/login \| jq ".auth.client_token" \| tr -d '"' )"

	# DON'T DO THIS IN PROD
	echo $VAULT_TOKEN
	echo "Secret Foo is: $(curl -H "X-Vault-Token:$VAULT_TOKEN" $VAULT_ADDR/v1/secret/foo)"
	#! /bin/bash

	# PARAMS
	ROLE="my-iam-role"
	GOOGLE_PROJECT="my_google_project"
	SERVICE_ACCOUNT="my_service_account@my_google_project.iam.gserviceaccount.com"
	export VAULT_ADDR="http://myvaultserver.com"

	# Generate JWT
	NOW=$(date -d "10 minutes" +%s)
	cat <<EOF > input.json
	{
	"sub": "$SERVICE_ACCOUNT",
	"aud": "vault/$ROLE",
	"exp": $NOW
	}
	EOF

	echo "Created input.json JWT Claims:"
	cat input.json
	echo


	# Sign JWT
	echo "================================="
	echo "RUNNING:"
	echo "gcloud beta iam service-accounts sign-jwt"
	echo " input.json out.jwt --iam-account=$SERVICE_ACCOUNT"
	echo "================================="

	gcloud beta iam service-accounts sign-jwt \
	input.json out.jwt --iam-account=$SERVICE_ACCOUNT

	# Authenticate with Vault
	echo "================================="
	echo "RUN:"
	echo "vault write auth/gcp/login role=my-iam-role [email protected]"
	echo "================================="
	vault write auth/gcp/login role=my-iam-role [email protected]

	# CLEANUP
	rm -rf input.json out.jwt

	# Start the server
	vault server --config="my-vault-config.hcl"

	# ===========
	# Do unseal, init, etc
	# ===========
	...

	# Enable the auth backend
	vault auth-enable gcp

	# Add credentials with read-permission for IAM/GCE:
	# Permissions: iam.serviceAccounts.get, iam.serviceAccountKeys.get,
	# compute.instances.get, compute.instanceGroups.listInstances
	vault write auth/gcp/config credentials=@path/to/creds.json

	# Write roles. There are many other fields like ttl, period, etc that you can set so
	# feel free to do so and look at docs.
	# https://www.vaultproject.io/docs/auth/gcp.html
	vault write auth/gcp/roles/my-iam-role \
	type="iam" \
	project_id=$GOOGLE_PROJECT \
	policies = "my-policy" \
	bound_service_accounts="$SERVICE_ACCOUNT, ..."

	vault write auth/gcp/roles/my-iam-role \
	type="gce" \
	project_id=$GOOGLE_PROJECT \
	bound_instance_group="my-instance-group" \
	policies = "my-policy"