Azure AD auth with Vault Agent

vault_agent.hcl

vault {
  address = "http://vault:8200"
}

auto_auth {
  method {
    type   = "azure"
    config = {
      resource = "lob_app"
      role     = "ssh_prod"
    }
  }
  sink "file" {
    config = {
      path = "/tmp/vault-token"
    }
  }
}

template {
  source      = "/tmp/ssh_host_rsa_key-cert.pub.ctmpl"
  destination = "/etc/ssh/ssh_host_rsa_key-cert.pub"
  command     = "systemctl restart sshd" 
}

listener "tcp" {
  address     = "127.0.0.1:8200"
  tls_disable = true
}

z_ssh_function

cat << 'EOF' > ~/vaultlogin
function ssh() {
  CURL="curl -sk"

  echo -n 'Password: '
  read -s password

  (
    $CURL -X POST "${VAULT_ADDR}/v1/auth/ldap/login/$(whoami)" \
    -d @<(cat <<EOF
    {
      "password": "$password"
    }
  EOF
    ) | jq -r '.auth.client_token' > $HOME/.vault-token
  ) &&
  (
    $CURL -X POST "${VAULT_ADDR}/v1/ssh-production/sign/prod_support" \
    -d  @<(cat << EOF
    {
      "public_key": "@$HOME/.ssh/id_rsa.pub",
      "valid_principals": "$(whoami)"
    }
  EOF
    ) | jq -r '.signed_key' > $HOME/.ssh/id_rsa-cert.pub
  )

  /bin/ssh -v $@
}
EOF