mvisonneau · July 10, 2018 10:50
diff --git a/vault-aws-ec2-login b/vault-aws-ec2-login
 #!/usr/bin/env bash

 if [[ -z ${VAULT_ADDR} ]]; then
  echo "VAULT_ADDR must be set"
  exit 1
 fi

 pkcs7=$( curl -s http://169.254.169.254/latest/dynamic/instance-identity/pkcs7 | tr -d '\n' )
 iam_instance_profile=$( curl -s http://169.254.169.254/latest/meta-data/iam/info | jq -r .InstanceProfileArn | cut -d '/' -f2 )
 nonce=$( openssl rand -base64 36 )

 # In order to request a role onto vault we prefer VAULT_AWS_ROLE or we default to instance profile otherwise
 role="${VAULT_AWS_ROLE:-${iam_instance_profile}}"

 result=$(
  curl -s -X POST "${VAULT_ADDR}/v1/auth/aws/login" \
    -d '{"role":"'"$role"'","pkcs7":"'"$pkcs7"'","nonce":"'"$nonce"'"}"'
 )

 token=$( jq -r .auth.client_token <<< "$result" )
 errors=$( jq -r .errors <<< "$result" )
 if [[ -n ${errors} ]]; then
  echo ${errors}
  exit 1
 elif [[ -z ${token} ]]; then
  echo 'no error nor token returned from Vault'
  exit 1
 else
  echo ${token}
 fi

 exit 0
	#!/usr/bin/env bash

	if [[ -z ${VAULT_ADDR} ]]; then
	echo "VAULT_ADDR must be set"
	exit 1
	fi

	pkcs7=$( curl -s http://169.254.169.254/latest/dynamic/instance-identity/pkcs7 \| tr -d '\n' )
	iam_instance_profile=$( curl -s http://169.254.169.254/latest/meta-data/iam/info \| jq -r .InstanceProfileArn \| cut -d '/' -f2 )
	nonce=$( openssl rand -base64 36 )

	# In order to request a role onto vault we prefer VAULT_AWS_ROLE or we default to instance profile otherwise
	role="${VAULT_AWS_ROLE:-${iam_instance_profile}}"

	result=$(
	curl -s -X POST "${VAULT_ADDR}/v1/auth/aws/login" \
	-d '{"role":"'"$role"'","pkcs7":"'"$pkcs7"'","nonce":"'"$nonce"'"}"'
	)

	token=$( jq -r .auth.client_token <<< "$result" )
	errors=$( jq -r .errors <<< "$result" )
	if [[ -n ${errors} ]]; then
	echo ${errors}
	exit 1
	elif [[ -z ${token} ]]; then
	echo 'no error nor token returned from Vault'
	exit 1
	else
	echo ${token}
	fi

	exit 0