Last active
March 7, 2023 02:07
-
-
Save usmansaleem/7ad7231f740a320673c30b681bc08f36 to your computer and use it in GitHub Desktop.
Initialise, Unseal, kv v2 mount Hashicorp Vault server running in docker via API calls (curl)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /bin/bash | |
| # Initialize Hashicorp vault with KV-V2 secrets enginer mounted at /secret | |
| # Assuming Hashicorp vault is running in docker and jq utility is available to parse json output | |
| # See https://gist.github.com/usmansaleem/891d8b3de03786b89b45e62f97fdefa9 which launches Vault server with TLS support. | |
| # exit when any command fails | |
| set -e | |
| echo "Init Hashicorp vault" | |
| VAULT_HOST="https://127.0.0.1:8200/v1" | |
| INIT_OUT=$(curl -s -k -X POST \ | |
| -d '{"secret_shares": 1, "secret_threshold": 1}' "$VAULT_HOST/sys/init" | jq) | |
| VAULT_TOKEN=$(echo $INIT_OUT | jq --raw-output '.root_token') | |
| VAULT_KEY=$(echo $INIT_OUT | jq --raw-output '.keys_base64[0]') | |
| echo "Root Token: $VAULT_TOKEN" | |
| echo "Unseal Key: $VAULT_KEY" | |
| ## Unseal ## | |
| echo "Unsealing Hashicorp Vault" | |
| curl -s -k -X POST -d "{\"key\": \"$VAULT_KEY\"}" "$VAULT_HOST/sys/unseal" | jq | |
| ## Enable KV-v2 /secret mount | |
| echo "Enable kv-v2 secret engine path at /secret" | |
| curl -s -k -X POST -H "X-Vault-Token: $VAULT_TOKEN" \ | |
| -d '{"type": "kv", "options": {"version": "2"}}' "$VAULT_HOST/sys/mounts/secret" | jq | |
| ## Generate a random 32 bytes keys | |
| echo "Generating random key" | |
| KEY=$(openssl rand -hex 32) | |
| echo "Encryption Key: $KEY" | |
| # Place DB Encryption key | |
| echo "Create key in vault" | |
| curl -s -k -X POST -H "X-Vault-Token: $VAULT_TOKEN" -d "{\"data\": {\"value\": "\"$KEY\""}}" \ | |
| "$VAULT_HOST/secret/data/DBEncryptionKey" | jq | |
| # Obtain DB Encryption key | |
| echo "Reading data from vault" | |
| curl -s -k -X GET -H "X-Vault-Token: $VAULT_TOKEN" "$VAULT_HOST/secret/data/DBEncryptionKey" \ | |
| | jq '.data.data' | |
| # Create hashicorp_config.toml file with root token | |
| echo "Writing hashicorp_config.toml" | |
| cat <<EOF > ./hashicorp_config.toml | |
| hashicorp.serverHost="localhost" | |
| hashicorp.serverPort=8200 | |
| hashicorp.token="$VAULT_TOKEN" | |
| hashicorp.key="$VAULT_KEY" | |
| hashicorp.keyPath="/v1/secret/data/DBEncryptionKey" | |
| hashicorp.timeout=30 | |
| hashicorp.tlsEnable=true | |
| hashicorp.tlsVerifyHost=true | |
| hashicorp.tlsTrustStoreType="PEM" | |
| hashicorp.tlsTrustStorePath="./vault/tls/vault.crt" | |
| EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment