Created
April 5, 2019 13:25
-
-
Save greenbrian/5be10eb2c978a153a52caa9fadbc3b9c to your computer and use it in GitHub Desktop.
Vault CLI testing AppRole
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # start vault | |
| VAULT_UI=true vault server -dev -dev-root-token-id=root -dev-listen-address=127.0.0.1:8200 | |
| # login as root - DO NOT DO THIS IN PRODUCTION | |
| vault login root | |
| # write some secrets | |
| vault kv put secret/test color=blue number=eleventeen | |
| # create policy | |
| echo 'path "secret/*" { | |
| capabilities = ["list", "read"] | |
| }' | vault policy write test - | |
| # enable approle | |
| vault auth enable approle | |
| # configure approle role named "testrole" | |
| vault write auth/approle/role/testrole \ | |
| secret_id_bound_cidrs="0.0.0.0/0","127.0.0.1/32" \ | |
| secret_id_ttl=60m \ | |
| secret_id_num_uses=5 \ | |
| enable_local_secret_ids=false \ | |
| token_bound_cidrs="0.0.0.0/0","127.0.0.1/32" \ | |
| token_num_uses=10 \ | |
| token_ttl=1h \ | |
| token_max_ttl=3h \ | |
| token_type=default \ | |
| period="" \ | |
| policies="default","test" | |
| # Read role-id | |
| vault read auth/approle/role/testrole/role-id | |
| ROLE_ID=$(vault read -format=json auth/approle/role/testrole/role-id | jq -r '.data.role_id') | |
| # generate secret-id | |
| vault write -f auth/approle/role/testrole/secret-id | |
| SECRET_ID=$(vault write -f -format=json auth/approle/role/testrole/secret-id | jq -r '.data.secret_id') | |
| # login with role-id + secret-id | |
| vault write auth/approle/login \ | |
| role_id=b07678e8-f924-13fb-bf5f-d9dec506ae27 \ | |
| secret_id=5f59f3ca-919f-1b05-7e42-347d058bbbb4 | |
| # test resulting token | |
| vault login s.KotUq5erUijZImTgF5m80WgY | |
| # read secrets | |
| vault kv get secret/test | |
| # approle push test | |
| vault login root | |
| vault write auth/approle/role/testrole/custom-secret-id secret_id=asdfasdf | |
| # login with custom secret_id | |
| vault write auth/approle/login role_id=b07678e8-f924-13fb-bf5f-d9dec506ae27 secret_id=asdfasdf | |
| # test resulting token | |
| vault login s.UsW8hcCNLKqkPosk0vcClf4c | |
| vault kv get secret/test | |
| # create token scoped that only allows retrieval of secret-id | |
| echo 'path "auth/approle/role/testrole/secret-id" { | |
| capabilities = ["create","update"] | |
| }' | vault policy write orchestrator - | |
| vault token create -period="8h" -orphan -policy=orchestrator | |
| # login with new token | |
| vault login s.A0PvsYPhvxTTbtqIm8uKFVyK | |
| # fetch secret-id | |
| vault write -f auth/approle/role/testrole/secret-id | |
| # TEST FAILURES | |
| vault token create -period="8h" -orphan -policy=orchestrator | |
| vault read auth/approle/role/testrole/role-id | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment