Last active
February 28, 2023 14:49
-
-
Save ericreeves/b47b8fc4f762f2af56590fba8fb3c2bb to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #export VAULT_TOKEN="<root>" | |
| export NS="TEST-NAMESPACE" | |
| echo "--- Creating namespace" | |
| vault namespace create $NS | |
| echo "--- Enable approle auth within namespace" | |
| vault auth enable -namespace=$NS approle | |
| # create policy | |
| echo "--- Writing ns-admin policy" | |
| echo '# Read TEST-NAMESPACE Namespace | |
| path "*" { | |
| capabilities = ["create", "read", "update", "delete", "list", "sudo"] | |
| } | |
| # AppRole policy | |
| path "*" { | |
| capabilities = ["create", "read", "update", "delete", "list", "sudo"] | |
| } | |
| path "sys/capabilities-self" | |
| { | |
| capabilities = ["update"] | |
| }' | vault policy write -namespace=$NS ns-admin-policy - | |
| echo "--- Writing ns-admin role" | |
| vault write -namespace $NS auth/approle/role/ns-admin policies=ns-admin-policy | |
| # Read role-id | |
| echo "--- Reading ROLE_ID" | |
| ROLE_ID=$(vault read -format=json -namespace=$NS auth/approle/role/ns-admin/role-id | jq -r '.data.role_id') | |
| # generate secret-id | |
| echo "--- Getting SECRET_ID" | |
| SECRET_ID=$(vault write -f -format=json -namespace=$NS auth/approle/role/ns-admin/secret-id | jq -r '.data.secret_id') | |
| # login with role-id + secret-id | |
| echo "--- Getting ROLE_TOKEN" | |
| ROLE_TOKEN=$(vault write -format=json -namespace=$NS auth/approle/login role_id=$ROLE_ID secret_id=$SECRET_ID | jq -r '.auth.client_token') | |
| echo "--- Unsetting VAULT_TOKEN" | |
| unset VAULT_TOKEN | |
| echo "--- Logging in with ROLE_TOKEN" | |
| vault login $ROLE_TOKEN | |
| echo "--- Enable secrets engine in $NS" | |
| vault secrets enable -namespace=$NS -path secrets kv | |
| echo "--- Creating secret" | |
| vault kv put -namespace=$NS secrets/test color=blue number=eleventeen | |
| echo "--- Retrieving secret" | |
| vault kv get -namespace=$NS secrets/test |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| export VAULT_TOKEN="<root>" | |
| export NS="TEST-NAMESPACE" | |
| vault namespace create $NS | |
| vault auth enable approle | |
| # create policy | |
| echo "--- Writing ns-admin policy" | |
| echo '# Read TEST-NAMESPACE Namespace | |
| path "TEST-NAMESPACE/*" { | |
| capabilities = ["create", "read", "update", "delete", "list", "sudo"] | |
| } | |
| # AppRole policy | |
| path "TEST-NAMESPACE/*" { | |
| capabilities = ["create", "read", "update", "delete", "list", "sudo"] | |
| } | |
| path "TEST-NAMESPACE/sys/capabilities-self" | |
| { | |
| capabilities = ["update"] | |
| }' | vault policy write ns-admin-policy - | |
| echo "--- Writing ns-admin role" | |
| vault write auth/approle/role/ns-admin policies=ns-admin-policy | |
| # Read role-id | |
| echo "--- ROLE_ID" | |
| ROLE_ID=$(vault read -format=json auth/approle/role/ns-admin/role-id | jq -r '.data.role_id') | |
| # generate secret-id | |
| echo "--- Getting SECRET_ID" | |
| SECRET_ID=$(vault write -f -format=json auth/approle/role/ns-admin/secret-id | jq -r '.data.secret_id') | |
| # login with role-id + secret-id | |
| echo "--- Getting ROLE_TOKEN" | |
| ROLE_TOKEN=$(vault write -format=json auth/approle/login role_id=$ROLE_ID secret_id=$SECRET_ID | jq -r '.auth.client_token') | |
| echo "--- Unsetting VAULT_TOKEN" | |
| unset VAULT_TOKEN | |
| echo "--- Logging in with ROLE_TOKEN" | |
| vault login $ROLE_TOKEN | |
| echo "--- Enable secrets engine in $NS" | |
| vault secrets enable -namespace=$NS -path secrets kv | |
| echo "--- Creating secret" | |
| vault kv put -namespace=$NS secrets/test color=blue number=eleventeen | |
| echo "--- Retrieving secret" | |
| vault kv get -namespace=$NS secrets/test |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment