magiconair · July 26, 2016 20:54
diff --git a/vault-token.sh b/vault-token.sh
 #!/bin/bash

 set -o nounset

 function log() {
 	echo
 	echo "========================================================================="
 	echo "== $@"
 	echo "=="
 }

 if [[ -z "$VAULT_TOKEN" || -z "$VAULT_ADDR" ]] ;  then
 	echo "Both VAULT_ADDR and VAULT_TOKEN must be set"
 	exit 1
 fi

 # create/overwrite policy
 log "Writing fabio policy"
 cat << EOF | vault policy-write fabio -
 path "secret/fabio/*" {
  capabilities = ["read"]
 }

 path "auth/token/lookup-self" {
  capabilities = ["read"]
 }

 path "auth/token/create" {
  capabilities = ["update"]
 }
 EOF

 # echo stored policy
 log "Reading fabio policy"
 vault policies fabio

 # write a secret
 log "Writing secret"
 vault write secret/fabio/certs foo=bar

 log "Reading secret"
 vault read secret/fabio/certs

 # create a non-renewable short-lived bootstrap token
 log "Creating bootstrap token"
 BOOTSTRAP_TOKEN=$(vault token-create -policy=fabio -ttl=1s -renewable=false | grep 'token ' | awk '{print $2;}')

 log "Reading bootstrap token"
 vault token-lookup ${BOOTSTRAP_TOKEN}

 log "Testing bootstrap token"
 VAULT_TOKEN=${BOOTSTRAP_TOKEN} vault read secret/fabio/certs

 # create a renewable child token
 log "Creating fabio token"
 FABIO_TOKEN=$(VAULT_TOKEN=${BOOTSTRAP_TOKEN} vault token-create -ttl=1h -renewable=true | grep 'token ' | awk '{print $2;}')

 log "Reading fabio token"
 vault token-lookup ${FABIO_TOKEN}

 log "Testing fabio token"
 VAULT_TOKEN=${FABIO_TOKEN} vault read secret/fabio/certs

 # wait for bootstrap token to expire
 log "Waiting for bootstrap token to expire"
 sleep 2

 # bootstrap should be expired
 log "Testing bootstrap token (should fail)"
 VAULT_TOKEN=${BOOTSTRAP_TOKEN} vault read secret/fabio/certs

 # fabio token should still work
 log "Testing fabio token (should work)"
 VAULT_TOKEN=${FABIO_TOKEN} vault read secret/fabio/certs
	#!/bin/bash

	set -o nounset

	function log() {
	echo
	echo "========================================================================="
	echo "== $@"
	echo "=="
	}

	if [[ -z "$VAULT_TOKEN" \|\| -z "$VAULT_ADDR" ]] ; then
	echo "Both VAULT_ADDR and VAULT_TOKEN must be set"
	exit 1
	fi

	# create/overwrite policy
	log "Writing fabio policy"
	cat << EOF \| vault policy-write fabio -
	path "secret/fabio/*" {
	capabilities = ["read"]
	}

	path "auth/token/lookup-self" {
	capabilities = ["read"]
	}

	path "auth/token/create" {
	capabilities = ["update"]
	}
	EOF

	# echo stored policy
	log "Reading fabio policy"
	vault policies fabio

	# write a secret
	log "Writing secret"
	vault write secret/fabio/certs foo=bar

	log "Reading secret"
	vault read secret/fabio/certs

	# create a non-renewable short-lived bootstrap token
	log "Creating bootstrap token"
	BOOTSTRAP_TOKEN=$(vault token-create -policy=fabio -ttl=1s -renewable=false \| grep 'token ' \| awk '{print $2;}')

	log "Reading bootstrap token"
	vault token-lookup ${BOOTSTRAP_TOKEN}

	log "Testing bootstrap token"
	VAULT_TOKEN=${BOOTSTRAP_TOKEN} vault read secret/fabio/certs

	# create a renewable child token
	log "Creating fabio token"
	FABIO_TOKEN=$(VAULT_TOKEN=${BOOTSTRAP_TOKEN} vault token-create -ttl=1h -renewable=true \| grep 'token ' \| awk '{print $2;}')

	log "Reading fabio token"
	vault token-lookup ${FABIO_TOKEN}

	log "Testing fabio token"
	VAULT_TOKEN=${FABIO_TOKEN} vault read secret/fabio/certs

	# wait for bootstrap token to expire
	log "Waiting for bootstrap token to expire"
	sleep 2

	# bootstrap should be expired
	log "Testing bootstrap token (should fail)"
	VAULT_TOKEN=${BOOTSTRAP_TOKEN} vault read secret/fabio/certs

	# fabio token should still work
	log "Testing fabio token (should work)"
	VAULT_TOKEN=${FABIO_TOKEN} vault read secret/fabio/certs