Vault SSH wrapper for SSH Secrets Engine

ssh_wrapper.sh

#!/bin/bash -e

# Simple SSH wrapper to use with Vault SSH Secrets Engine

MOUNT="ssh"
ROLE="dev-ssh"
HOST="$1"

TMP_FILE="$(mktemp)"
SIGNED_KEY="$(mktemp)"
PRIVATE_KEY="$(mktemp)"

# If you want to keep the credentials for longer, then you 
# can save them somewhere else, instead of using temporary 
# files:
#SIGNED_KEY="${HOME}/.ssh/vault-ssh-${ROLE}-signed-key"
#PRIVATE_KEY="${HOME}/.ssh/vault-ssh-${ROLE}-private-key"

function cleanup {
  rm -f "$TMP_FILE" "${SIGNED_KEY}" "${PRIVATE_KEY} &> /dev/null
}

# make sure that we remove all temporary files on exit
trap cleanup EXIT

# ensure that the files exist and have secure permissions 
# before writing into them
touch "$TMP_FILE" "${SIGNED_KEY}" "${PRIVATE_KEY}"
chmod 0600 "$TMP_FILE" "${SIGNED_KEY}" "${PRIVATE_KEY}"

vault write -format=json -f $MOUNT/issue/$ROLE  > "$TMP_FILE"

touch "${SIGNED_KEY}" "${PRIVATE_KEY}"
chmod 0600 "${SIGNED_KEY}" "${PRIVATE_KEY}"

jq -r .data.signed_key "$TMP_FILE" > "${SIGNED_KEY}"
jq -r .data.private_key "$TMP_FILE" > "${PRIVATE_KEY}"

ssh -i "${SIGNED_KEY}" -i "${PRIVATE_KEY}" "$@"