Created
January 16, 2018 16:40
-
-
Save brockoffdev/a627041b6f8488f218eda02bbb091dc9 to your computer and use it in GitHub Desktop.
Maintaining Versioned Keys in Vault
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Create a temporary orphaned Vault Token with | |
| # permissions to make changes to the /versions mountpoint VTK=$(vault token-create ... ) | |
| # Get a list of the levels of the /versions mount | |
| # and previous end date for tokens | |
| MOUNTS=$(vault list /versions | sed 1,2d) | |
| OLDER_THAN=$(date --date="6 days ago" +"%Y%m%d%H%M%S") | |
| for mount in $MOUNTS; do | |
| # Get a list of our "apps" | |
| # in this case it would be "single/" and "multi/" | |
| APP=$(vault list /versions/$mount | sed 1,2d) | |
| for app in $APPS; do | |
| # Get a list of all of our "versions" | |
| VERSIONS=$(vault list /versions/$mount$app | sed 1,2d | grep [0-9]) | |
| for version in $VERSIONS; do | |
| # Based on $OLDER_THAN set above, this essentially | |
| # is checking if the secret should be deleted. | |
| # Here we are saying if the secret is older than | |
| # a week ago, and if so it should be wiped out. | |
| let STATE=$version-$OLDER_THAN | |
| if [ $STATE -le 1000000 ]; then | |
| vault delete /versions/$mount$namespace$app$version | |
| fi | |
| done | |
| done | |
| done | |
| # Revoke your created vault temporary token | |
| vault token-revoke $VTK |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment