Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Bash shell script to check seal status for local vault server and attempt to unseal using keys secured in vault secret store. Supports HA Vault clusters with TLS with unseal keys stored as secrets in vault (see code). Relies on registered service vault.service.consul, in place DNS configuration, and a single unsealed vault instance in your clust…
#!/bin/bash
export vault=/usr/local/bin/vault
export VAULT_TOKEN=$(cat /root/.vault-token)
vault_cacert='-ca-cert=/path/to/your/ca.pem'
local_vault="-address=https://$(hostname -f):8200"
unsealed_vault="-address=https://$(getent hosts $(dig +short vault.service.consul | tail -n 1) | awk '{ print $2 }'):8200"
leader_vault="-address=https://$($vault status $vault_cacert $unsealed_vault 2> /dev/null | grep Leader | awk '{ print $2 }' | sed 's/^http\(\|s\):\/\///g'):8200"
vault_read="$vault read $vault_cacert $leader_vault"
vault_unseal="$vault unseal $vault_cacert $local_vault"
vault_status="$vault status $vault_cacert $local_vault"
function check_unsealed(){
$vault_status &> /dev/null
if [[ ! $? == "0" ]]
then
echo "VaultSealManager-[$(date +'%X %x')]-[ERROR]: Local Vault instance was unsuccessfully unsealed (the instance is still sealed)."
exit 1
fi
}
function get_keys(){
vault_key_1=$($vault_read -field=value secret/vault/keys/1 2> /dev/null)
vault_key_2=$($vault_read -field=value secret/vault/keys/2 2> /dev/null)
vault_key_3=$($vault_read -field=value secret/vault/keys/3 2> /dev/null)
vault_key_4=$($vault_read -field=value secret/vault/keys/4 2> /dev/null)
vault_key_5=$($vault_read -field=value secret/vault/keys/5 2> /dev/null)
if [[ -z "$vault_key_1" ]] || [[ -z "$vault_key_2" ]] || [[ -z "$vault_key_3" ]] || [[ -z "$vault_key_4" ]] || [[ -z "$vault_key_5" ]]
then
echo "VaultSealManager-[$(date +'%X %x')]-[ERROR]: Error retrieving unseal keys from Vault secret store!"
exit 1
fi
}
function unseal_vault(){
$vault_unseal $vault_key_1 &> /dev/null;
status_1=$?
$vault_unseal $vault_key_2 &> /dev/null;
status_2=$?
$vault_unseal $vault_key_3 &> /dev/null;
status_3=$?
# Only need three to unseal
#$vault_unseal $vault_key_4 &> /dev/null;
#status_4=$?
#$vault_unseal $vault_key_5 &> /dev/null;
#status_5=$?
if [[ ! $status_1 == "0" ]] || [[ ! $status_2 == "0" ]] || [[ ! $status_3 == "0" ]] # || [[ ! "status_4" == "0" ]] || [[ ! "status_5" == "0" ]]
then
echo "VaultSealManager-[$(date +'%X %x')]-[ERROR]: Error unsealing local Vault instance!"
exit 1
fi
}
function main(){
$vault_status &> /dev/null
if [[ $? == "0" ]]
then
echo "VaultSealManager-[$(date +'%X %x')]-[IFNO]: Local Vault instance is already unsealed!"
exit 0
fi
if [[ -z "$unsealed_vault" ]]
then
echo "VaultSealManager-[$(date +'%X %x')]-[ERROR]: Consul service returned no unsealed Vault instances!"
exit 1
else
echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Consul service returned unsealed Vault instance..."
echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Attempting to get secured keys from Vault secret store..."
get_keys
echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Got unseal keys successfull..."
echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Attempting to unseal local Vault instance with acquired unseal keys..."
unseal_vault
echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Checking local seal status..."
check_unsealed
echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Local Vault instance is now unsealed!"
fi
}
main
exit 0
@divvy19

This comment has been minimized.

Copy link

@divvy19 divvy19 commented Jan 2, 2018

It would be great if you write some comments on how this code is actually working .
I was thinking of adding one more parameter to this , i.e Sending alert mail whenever the vault gets sealed .
Can that be done here ? If yes kindly help me with that .

@grocid

This comment has been minimized.

Copy link

@grocid grocid commented Jan 5, 2018

@divvy19 I would advise against storing the root token on disk, which is done here. See

export VAULT_TOKEN=$(cat /root/.vault-token)

But, if this is not an issue... To summarize: It reads from secret storage (from other Vault instances in the cluster) using root token, to obtain the unseal keys, which are used to unseal the local Vault.

Then, again, you could store the unseal keys on disk, which basically yields the same security in the attack model.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.