Skip to content

Instantly share code, notes, and snippets.

@pldmgg

pldmgg/VaultTokenManagement.ps1

Last active April 1, 2018 01:25
Show Gist options
  • Save pldmgg/6b8b0fb9b17670ee6375c3af22f1f63e to your computer and use it in GitHub Desktop.
Save pldmgg/6b8b0fb9b17670ee6375c3af22f1f63e to your computer and use it in GitHub Desktop.
Download ZIP
Vault Token Management
Raw
VaultTokenManagement.ps1
# Example Usage:
# PS C:\Users\testadmin> $CurrentTokens = Get-VaultTokens -VaultBaseUri "http://192.168.2.12:8200/v1" -VaultAuthToken "myroot"
# PS C:\Users\testadmin> $CurrentTokens
function Get-VaultTokens {
[CmdletBinding()]
Param(
[Parameter(Mandatory=$True)]
[string]$VaultBaseUri, # Should be something like "http://192.168.2.12:8200/v1"
[Parameter(Mandatory=$True)]
[string]$VaultAuthToken # Should be something like 'myroot' or '434f37ca-89ae-9073-8783-087c268fd46f'
)
# Make sure $VaultBaseUri is a valid Url
try {
$UriObject = [uri]$VaultBaseUri
}
catch {
Write-Error $_
$global:FunctionResult = "1"
return
}
if (![bool]$($UriObject.Scheme -match "http")) {
Write-Error "'$VaultBaseUri' does not appear to be a URL! Halting!"
$global:FunctionResult = "1"
return
}
# If $VaultBaseUri ends in '/', remove it
if ($VaultBaseUri[-1] -eq "/") {
$VaultBaseUri = $VaultBaseUri.Substring(0,$VaultBaseUri.Length-1)
}
$QueryParameters = @{
list = "true"
}
$HeadersParameters = @{
"X-Vault-Token" = $VaultAuthToken
}
$IWRSplatParamsForSaltedTokenIds = @{
Uri = "$VaultBaseUri/sys/raw/sys/token/id"
Headers = $HeadersParameters
Body = $QueryParameters
Method = "Get"
}
$SaltedTokenIds = $($(Invoke-WebRequest @IWRSplatParamsForSaltedTokenIds).Content | ConvertFrom-Json).data.keys
#$SaltedTokenIds = $($(Invoke-WebRequest -Uri "$VaultBaseUri/sys/raw/sys/token/id" -Headers @{"X-Vault-Token"="$VaultAuthToken"} -Body $QueryParameters -Method Get).Content | ConvertFrom-Json).data.keys
[System.Collections.ArrayList]$AvailableTokensPSObjects = @()
foreach ($SaltedId in $SaltedTokenIds) {
$IWRSplatParamsForTokenObjects = @{
Uri = "$VaultBaseUri/sys/raw/sys/token/id/$SaltedId"
Headers = $HeadersParameters
Method = "Get"
}
$PSObject = $($(Invoke-WebRequest @IWRSplatParamsForTokenObjects).Content | ConvertFrom-Json).data.value | ConvertFrom-Json
#$PSObject = $($(Invoke-WebRequest -Uri "$VaultBaseUri/sys/raw/sys/token/id/$SaltedId" -Headers @{"X-Vault-Token"="$VaultAuthToken"} -Method Get).Content | ConvertFrom-Json).data.value | ConvertFrom-Json
$null = $AvailableTokensPSObjects.Add($PSObject)
}
$AvailableTokensPSObjects
}
# Example Usage:
# Scenario - Remove all tokens except root
# PS C:\Users\testadmin> $VaultTokensToRemove = Get-VaultTokens -VaultBaseUri "http://192.168.2.12:8200/v1" -VaultAuthToken "myroot" | Where-Object {$_.id -ne "myroot"}
# PS C:\Users\testadmin> Revoke-VaultToken -VaultBaseUri "http://192.168.2.12:8200/v1" -VaultAuthToken "myroot" -TokensToDelete $VaultTokensToRemove.Id
function Revoke-VaultToken {
[CmdletBinding()]
Param(
[Parameter(Mandatory=$True)]
[string]$VaultBaseUri, # Should be something like "http://192.168.2.12:8200/v1"
[Parameter(Mandatory=$True)]
[string]$VaultAuthToken, # Should be something like 'myroot' or '434f37ca-89ae-9073-8783-087c268fd46f'
[Parameter(Mandatory=$True)]
[string[]]$TokensToDelete # Should be something like: e7e95ee3-0355-6ea3-fcc3-66ce8418d32a
)
# Make sure $VaultBaseUri is a valid Url
try {
$UriObject = [uri]$VaultBaseUri
}
catch {
Write-Error $_
$global:FunctionResult = "1"
return
}
if (![bool]$($UriObject.Scheme -match "http")) {
Write-Error "'$VaultBaseUri' does not appear to be a URL! Halting!"
$global:FunctionResult = "1"
return
}
# If $VaultBaseUri ends in '/', remove it
if ($VaultBaseUri[-1] -eq "/") {
$VaultBaseUri = $VaultBaseUri.Substring(0,$VaultBaseUri.Length-1)
}
try {
$CurrentTokens = Get-VaultTokens -VaultBaseUri $VaultBaseUri -VaultAuthToken $VaultAuthToken -ErrorAction Stop
if (!$CurrentTokens) {throw "The Get-VaultTokens function failed! Halting!"}
}
catch {
Write-Error $_
$global:FunctionResult = "1"
return
}
$HeadersParameters = @{
"X-Vault-Token" = $VaultAuthToken
}
$IWRSplatParams = @{
Uri = "$VaultBaseUri/auth/token/revoke"
Headers = $HeadersParameters
Body = $null
Method = "Post"
}
foreach ($Token in $TokensToDelete) {
if ($CurrentTokens.id -contains $Token) {
$JsonRequest = @(
"{"
" `"token`": `"$Token`""
"}"
)
$JsonRequestAsSingleLineString = $JsonRequest -join "`n" | ConvertFrom-Json | ConvertTo-Json -Compress
$IWRSplatParams.Body = $JsonRequestAsSingleLineString
$IWRResult = Invoke-WebRequest @IWRSplatParams
}
}
$TokensThatRemain = Get-VaultTokens -VaultBaseUri $VaultBaseUri -VaultAuthToken $VaultAuthToken
[array]$TokensThatWeFailedToDelete = $TokensToDelete | Where-Object {$TokensThatRemain.id -contains $_}
[array]$TokensThatWeSuccessfullyDeleted = $TokensToDelete | Where-Object {$TokensThatRemain.id -notcontains $_}
[pscustomobject]@{
TokensSuccessfullyDeleted = $TokensThatWeSuccessfullyDeleted
TokensFailedDeletion = $TokensThatWeFailedToDelete
RemainingTokens = $TokensThatRemain
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment