Skip to content

Instantly share code, notes, and snippets.

@awilliams
Created September 28, 2017 16:38
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save awilliams/bf3b6eaa279b1c121fc3ccf31104c8f4 to your computer and use it in GitHub Desktop.
Save awilliams/bf3b6eaa279b1c121fc3ccf31104c8f4 to your computer and use it in GitHub Desktop.
#!/usr/bin/env bash
set -eu
# Proof-of-concept script to demonstrate using an AppRole
# generated token for the kubernetes-vault controller.
# https://github.com/Boostport/kubernetes-vault
# Expects vault local development server to be running.
# Launch with:
# vault server -dev
# Use default development address
export VAULT_ADDR='http://127.0.0.1:8200'
CONTROLLER_APPROLE=controller
CONTROLLER_POLICY=controller-policy
USER_APPROLE=my-app
########################
# Ensure vault is running and setup correctly
########################
# Ensure local vault server is running
vault status > /dev/null || (echo "Vault server not running. Run locally: vault server -dev" && exit 1)
# Enable "approle" auth backend
if ! vault read /sys/auth | grep -q "approle/"; then
vault auth-enable approle > /dev/null
fi
########################
# Setup user's AppRole
########################
# Create the app AppRole that allows for
# short-lived, one-time use secret ids.
# Tokens will have a 6h refresh interval.
vault write auth/approle/role/${USER_APPROLE} \
period=6h \
secret_id_ttl=90s \
secret_id_num_uses=1 \
> /dev/null
########################
# Setup controller's policy and AppRole
########################
# Create policy for controller tokens that ONLY allows
# generating secret ids from the user's AppRole.
vault policy-write ${CONTROLLER_POLICY} - >/dev/null <<EOF
path "auth/approle/role/${USER_APPROLE}/secret-id" {
capabilities = ["update"]
}
EOF
# Create AppRole with the above admin policy. Tokens will
# need to be refreshed after 6hrs.
vault write auth/approle/role/${CONTROLLER_APPROLE} \
policies=${CONTROLLER_POLICY} \
period=6h \
> /dev/null
########################
# Generate controller's token
########################
# Fetch the role and secret id's from the new AppRole.
# Then generate a token from this AppRole, which should only be used
# by the controller for generating secret ids.
CONTROLLER_ROLE_ID=$(vault read -field=role_id auth/approle/role/${CONTROLLER_APPROLE}/role-id)
CONTROLLER_SECRET_ID=$(vault write -field=secret_id -f auth/approle/role/${CONTROLLER_APPROLE}/secret-id)
CONTROLLER_TOKEN=$(vault write -field=token auth/approle/login role_id=${CONTROLLER_ROLE_ID} secret_id=${CONTROLLER_SECRET_ID})
echo "Controller token: ${CONTROLLER_TOKEN}"
########################
# Show controller's token can fetch secret_id for $USER_APPROLE
########################
# Fetch secret ID for user's AppRole using the controller's token.
# This would be the job of the vault controller.
echo "'${USER_APPROLE}' AppRole secret_id:"
VAULT_TOKEN=${CONTROLLER_TOKEN} vault write -format=json -f auth/approle/role/${USER_APPROLE}/secret-id
########################
# Show how controller's token can be renewed
########################
# Print token information
echo "Token lookup:"
vault token-lookup -format=json ${CONTROLLER_TOKEN}
echo "Token renew:"
vault token-renew -format=json ${CONTROLLER_TOKEN}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment