Skip to content

Instantly share code, notes, and snippets.

@innovia

innovia/vault-kms-ssm.sh

Created January 21, 2018 12:25
Show Gist options
  • Save innovia/826964c4e4ed3eb50f2438575e9f18bb to your computer and use it in GitHub Desktop.
Save innovia/826964c4e4ed3eb50f2438575e9f18bb to your computer and use it in GitHub Desktop.
Download ZIP
encrypt-vault-unseal-keys-kms-ssm
Raw
vault-kms-ssm.sh
export PREFIX=<your-prefix>-
export KMS_KEY_ID=<kms-key-id>
export ROOT_KEY=<vault-root-token>
export UNSEAL0=<vault-unseal-key-1>
export UNSEAL1=<vault-unseal-key-2>
export UNSEAL2=<vault-unseal-key-3>
export UNSEAL3=<vault-unseal-key-4>
export UNSEAL4=<vault-unseal-key-5>
mkdir -p /tmp/vault
echo $ROOT_KEY > /tmp/vault/root-key
echo $UNSEAL0 > /tmp/vault/unseal0
echo $UNSEAL1 > /tmp/vault/unseal1
echo $UNSEAL2 > /tmp/vault/unseal2
echo $UNSEAL3 > /tmp/vault/unseal3
echo $UNSEAL4 > /tmp/vault/unseal4
echo "Encrypting Vault root token"
aws kms encrypt --key-id $KMS_KEY_ID \
--plaintext fileb:///tmp/vault/root-key \
--output text \
--query CiphertextBlob > /tmp/vault/root.enc
echo "Creting a new SSM paramter key ${PREFIX}vault-root for Vault root token"
aws ssm put-parameter --name "${PREFIX}vault-unseal-root" \
--value "$(cat /tmp/vault/root.enc )" \
--type String
for i in {0..4}; do
echo "Encrypting unseal${i} key"
aws kms encrypt --key-id $KMS_KEY_ID \
--encryption-context "Tool=vault-unsealer" \
--plaintext fileb:///tmp/vault/unseal${i} \
--output text \
--query CiphertextBlob > /tmp/vault/unseal${i}.enc
echo "Creting a new SSM paramter key ${PREFIX}vault-unseal-${i}"
aws ssm put-parameter --name "${PREFIX}vault-unseal-${i}" \
--value "$(cat /tmp/vault/unseal${i}.enc)" \
--type String
done
rm -rf /tmp/vault
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment