# Smoke tests for the vault snap
(based on https://www.vaultproject.io/intro/index.html)
First, build and install the vault snap:
1. git clone https://github.com/elopio/vault
2. cd vault
3. git checkout snapcraft
4. sudo apt install snapcraft
5. snapcraft
6. sudo snap install vault*.snap
Print the help:
$ vault
$ vault -help
$ vault help
usage: vault [-version] [-help] <command> [args]
[...]
Print the version:
$ vault version
$ vault -version
Vault v0.6.2-dev
Start the Dev Server:
$ vault server -dev
==> WARNING: Dev mode is enabled!
[...]
export VAULT_ADDR='http://127.0.0.1:8200'
[...]
Unseal Key: [...]
Root Token: [...]
[...]
==> Vault server started! Log data will stream in below:
[...]
Take note of the `VAULT_ADDR` value, the `Unseal Key` and `Root Token`.
Open another terminal and set the server address:
$ export VAULT_ADDR='http://127.0.0.1:8200'
Check the server status:
$ vault status
Sealed: false
Key Shares: 1
Key Threshold: 1
Unseal Progress: 0
High-Availability Enabled: false
Write a secret:
$ vault write secret/hello value=world
Success! Data written to: secret/hello
Read a secret:
$ vault read secret/hello
Key Value
--- -----
refresh_interval 720h0m0s
value world
Delete a secret:
$ vault delete secret/hello
Success! Deleted 'secret/hello' if it existed.
Mount a backend:
$ vault mount generic
Successfully mounted 'generic' at 'generic'!
Inspect mounts:
$ vault mounts
Path Type Default TTL Max TTL Description
cubbyhole/ cubbyhole n/a n/a per-token private secret storage
generic/ generic system system
secret/ generic system system generic secret storage
sys/ system n/a n/a system endpoints used for control, policy and debugging
Unmount a backend:
$ vault unmount generic/
Successfully unmounted 'generic/'!
The next steps require an the `$ACCESS_KEY_ID` and `$SECRET_ACCESS_KEY` from an AWS account.
Mount the AWS backend:
$ vault mount aws
Successfully mounted 'aws' at 'aws'!
Configure the backend:
$ vault write aws/config/root\
access_key=$ACCESS_KEY_ID \
secret_key=$SECRET_ACCESS_KEY
Success! Data written to: aws/config/root
Create a role:
$ cat > ~/snap/vault/policy.json <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1426528957000",
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": [
"*"
]
}
]
}
EOF
$ vault write aws/roles/deploy policy=@~/snap/vault/policy.json
Success! Data written to: aws/roles/deploy
Generate a secret:
$ vault read aws/creds/deploy
Key Value
--- -----
lease_id aws/creds/deploy/[...]
lease_duration 720h0m0s
lease_renewable true
access_key [...]
secret_key [...]
security_token <nil>
Take note of the `lease_id`.
Revoke a secret:
$ vault revoke aws/creds/deploy/$LEASE_ID
Success! Revoked the secret with ID 'aws/creds/deploy/[...]', if it existed.
Print the path help:
$ vault path-help aws
[...]
Create a token:
$ vault token-create
Key Value
--- -----
token [...]
token_accessor [...]
token_duration 0
token_renewable true
token_policies [root]
Take note of the `token` value.
Revoke a token:
$ vault token-revoke $TOKEN
Success! Token revoked if it existed.
Authenticate with a token:
(using the `Root Token` that was printed when the dev server started)
$ vault auth $ROOT_TOKEN
Successfully authenticated! You are now logged in.
token: [...]
token_duration: 0
token_policies: [root]
The next step requires a GitHub account that's part of an `ORGANIZATION` and has a `$PERSONAL_ACCESS_TOKEN` with the user scope.
Authenticate with GitHub:
$ vault auth-enable github
Successfully enabled 'github' at 'github'!
$ vault write auth/github/config organization=$ORGANIZATION
Success! Data written to: auth/github/config
$ vault auth -method=github token=$PERSONAL_ACCESS_TOKEN
Successfully authenticated! You are now logged in.
The token below is already saved in the session. You do not
need to "vault auth" again with the token.
token: [...]
token_duration: 2592000
token_policies: [default]
Disable an authentication backend:
$ vault auth $ROOT_TOKEN
[...]
$ vault auth-disable github
Disabled auth provider at path 'github'!
Write a policy:
$ cat > ~/snap/vault/acl.hcl <<EOF
path "secret/*" {
policy = "write"
}
path "secret/foo" {
policy = "read"
}
path "auth/token/lookup-self" {
policy = "read"
}
EOF
$ vault policy-write secret ~/snap/vault/acl.hcl
Policy 'secret' written.
Print policies:
$ vault policies
[...]
$ vault policies secret
[...]
Create a token for the policy:
$ vault token-create -policy="secret"
Key Value
--- -----
token [...]
token_accessor [...]
token_duration 720h0m0s
token_renewable true
token_policies [default secret]
Take note of the `token`.
Authenticate:
$ vault auth $TOKEN
Successfully authenticated! You are now logged in.
token: [...]
token_duration: 2591912
token_policies: [default, secret]
Write to an allowed path:
$ vault write secret/bar value=yes
Success! Data written to: secret/bar
Try to write to a denied path:
$ vault write secret/foo value=yes
Error writing data to secret/foo: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/secret/foo
Code: 403. Errors:
* permission denied