Last active
September 13, 2019 10:26
-
-
Save abdennour/4f514b60b01284f64cf4fac9f97deb4c to your computer and use it in GitHub Desktop.
Create ACL policy in Vault and Create User with that Policy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# vault server -dev -dev-root-token-id="root" | |
policy_name=mypolicy | |
# export VAULT_ADDR='http://127.0.0.1:8200'; | |
# pre-validation | |
vault secrets list | |
vault policy list | |
# add policy | |
cat <<EOF | vault policy write ${policy_name} - | |
path "secret/data/training_*" { | |
capabilities = ["create", "read"] | |
} | |
path "secret/data/+/apikey" { | |
capabilities = ["create", "read", "update", "delete"] | |
} | |
EOF | |
#post-Validation | |
vault policy read base ${policy_name} | |
# Create User (token) with the created policy | |
vault token create -policy="${policy_name}" \ | |
-format=json | jq -r ".auth.client_token" > /tmp/token.txt | |
# Post-validation: user with attached policy | |
vault token capabilities $(cat /tmp/token.txt) secret/data/training_dev | |
# Login with the created user | |
vault login $(cat /tmp/token.txt) | |
# Validation | |
echo It must FAIL | |
vault kv put secret/apikey key="my_api_key" | |
echo it must SUCCESS | |
vault kv put secret/training_test password="p@ssw0rd" | |
# validation | |
vault kv get secret/training_test | |
echo it must FAIL because path of Vault follows RADIX tree : https://en.wikipedia.org/wiki/Radix_tree | |
vault kv put secret/training_ year="2018" | |
# clean up | |
rm -f /tmp/token.txt | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment