Using a "pipeline" entity to create all tokens for pipelines

pipeline_entities.sh

# Enable audit log
$ vault audit enable file file_path=/tmp/audit/vault_audit.log
Success! Enabled the file audit device at: file/

# Add some example secrets for prod and dev
$ vault secrets enable -version=2 kv
$ vault kv put kv/production/stuff foo=bar
$ vault kv put kv/development/stuff devfoo=devbar
Success! Enabled the kv secrets engine at: kv/
Key              Value
---              -----
created_time     2021-01-16T03:03:51.853075Z
deletion_time    n/a
destroyed        false
version          1
Key              Value
---              -----
created_time     2021-01-16T03:03:51.908423Z
deletion_time    n/a
destroyed        false
version          1

# Create prod/dev access policies
$ vault policy write production - << EOF
path "kv/data/production/*" {
  capabilities = ["read", "update", "list"]
}
EOF
Success! Uploaded policy: production

$ vault policy write development - << EOF
path "kv/data/development/*" {
  capabilities = ["read", "update", "list"]
}
EOF
Success! Uploaded policy: development

# Base count
$ vault-auditor parse /tmp/audit

Distinct Entities: 0
Non-Entity Tokens: 1
Total Clients: 1
Total files processed: 1
Date range: 2021-01-16T03:03:13Z - 2021-01-16T03:06:19Z

# Create pipeline entity capable of creating tokens for prod/dev
$ vault write auth/token/roles/pipeline allowed_policies="production,development" period="5m" allowed_entity_aliases="pipeline"
Success! Data written to: auth/token/roles/pipeline

# Count has not changed yet
$ vault-auditor parse /tmp/audit

Distinct Entities: 0
Non-Entity Tokens: 1
Total Clients: 1
Total files processed: 1
Date range: 2021-01-16T03:03:13Z - 2021-01-16T03:07:34Z

# Create pipeline token issuer's policy
$ vault policy write pipeline - << EOF
path "auth/token/create/pipeline" {
  capabilities = ["create", "update"]
}
EOF
Success! Uploaded policy: pipeline

# Login as pipeline token issuer
$ vault auth enable userpass
Success! Enabled userpass auth method at: userpass/
$ vault write auth/userpass/users/pipeline \
  policies=pipeline \
  password=Password1!

Success! Data written to: auth/userpass/users/pipeline
$ vault login -method=userpass username=pipeline password=Password1!
WARNING! The VAULT_TOKEN environment variable is set! This takes precedence
over the value set by this command. To use the value set by this command,
unset the VAULT_TOKEN environment variable or set it to the token displayed
below.

Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                    Value
---                    -----
token                  s.qOdqzYZXUiKm7ZSb5eGQP2YC
token_accessor         sQMCDCJATlbZkABKwidR8dR9
token_duration         768h
token_renewable        true
token_policies         ["default" "pipeline"]
identity_policies      []
policies               ["default" "pipeline"]
token_meta_username    pipeline

# Check count
$ vault-auditor parse /tmp/audit

Distinct Entities: 1
Non-Entity Tokens: 1
Total Clients: 2
Total files processed: 1
Date range: 2021-01-16T03:03:13Z - 2021-01-16T03:10:16Z

## Pipeline token issuer has a new distinct entity

# Work as pipeline token issuer
$ export PIPELINE_TOKEN=s.qOdqzYZXUiKm7ZSb5eGQP2YC

# Create token for prod pipeline user
$ VAULT_TOKEN=$PIPELINE_TOKEN \
  vault token create \
  -role=pipeline \
  -entity-alias=pipeline \
  -policy=production
Key                  Value
---                  -----
token                s.lbarA0aEg2Z8yIH9jm3uXdnD
token_accessor       gqjKN7Getv8TsSCF3otgXw1S
token_duration       5m
token_renewable      true
token_policies       ["default" "production"]
identity_policies    []
policies             ["default" "production"]

# Use prod token
$ VAULT_TOKEN=s.lbarA0aEg2Z8yIH9jm3uXdnD \
  vault kv get kv/production/stuff
====== Metadata ======
Key              Value
---              -----
created_time     2021-01-16T03:03:51.853075Z
deletion_time    n/a
destroyed        false
version          1

=== Data ===
Key    Value
---    -----
foo    bar

# Recount
$ vault-auditor parse /tmp/audit

Distinct Entities: 2
Non-Entity Tokens: 1
Total Clients: 3
Total files processed: 1
Date range: 2021-01-16T03:03:13Z - 2021-01-16T03:12:25Z

## One new entity --> 'pipeline'

# Create token for dev pipeline user using same entity
$ VAULT_TOKEN=$PIPELINE_TOKEN \
  vault token create \
  -role=pipeline \
  -entity-alias=pipeline \
  -policy=development
Key                  Value
---                  -----
token                s.bpwDjjSSg2UvhvPLgT0TXb2M
token_accessor       bA90diWoqIH7tKhzjFr36n2x
token_duration       5m
token_renewable      true
token_policies       ["default" "development"]
identity_policies    []
policies             ["default" "development"]

# Use dev token
$ VAULT_TOKEN=s.bpwDjjSSg2UvhvPLgT0TXb2M \
  vault kv get kv/development/stuff
====== Metadata ======
Key              Value
---              -----
created_time     2021-01-16T03:03:51.908423Z
deletion_time    n/a
destroyed        false
version          1

===== Data =====
Key       Value
---       -----
devfoo    devbar

# Recount
$ vault-auditor parse /tmp/audit

Distinct Entities: 2
Non-Entity Tokens: 1
Total Clients: 3
Total files processed: 1
Date range: 2021-01-16T03:03:13Z - 2021-01-16T03:14:21Z

## No new entity or non-entity values

#--------------------------------------------------------------------------------
# Summary of resulting numbers
# Distinct Entities: 2
## 1) "Pipeline Token Issuer": creates tokens for various pipelines tiers
## 2) "Pipeline Token User": uses prod/dev tokens under 1 Vault entity
# Non-Entity Tokens: 1
## Root token