Skip to content

Instantly share code, notes, and snippets.

@ericreeves

ericreeves/test_approle_namespace.sh

Last active February 28, 2023 14:49
Show Gist options
  • Save ericreeves/b47b8fc4f762f2af56590fba8fb3c2bb to your computer and use it in GitHub Desktop.
Save ericreeves/b47b8fc4f762f2af56590fba8fb3c2bb to your computer and use it in GitHub Desktop.
Download ZIP
Raw
test_approle_namespace.sh
#export VAULT_TOKEN="<root>"
export NS="TEST-NAMESPACE"
echo "--- Creating namespace"
vault namespace create $NS
echo "--- Enable approle auth within namespace"
vault auth enable -namespace=$NS approle
# create policy
echo "--- Writing ns-admin policy"
echo '# Read TEST-NAMESPACE Namespace
path "*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# AppRole policy
path "*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "sys/capabilities-self"
{
capabilities = ["update"]
}' | vault policy write -namespace=$NS ns-admin-policy -
echo "--- Writing ns-admin role"
vault write -namespace $NS auth/approle/role/ns-admin policies=ns-admin-policy
# Read role-id
echo "--- Reading ROLE_ID"
ROLE_ID=$(vault read -format=json -namespace=$NS auth/approle/role/ns-admin/role-id | jq -r '.data.role_id')
# generate secret-id
echo "--- Getting SECRET_ID"
SECRET_ID=$(vault write -f -format=json -namespace=$NS auth/approle/role/ns-admin/secret-id | jq -r '.data.secret_id')
# login with role-id + secret-id
echo "--- Getting ROLE_TOKEN"
ROLE_TOKEN=$(vault write -format=json -namespace=$NS auth/approle/login role_id=$ROLE_ID secret_id=$SECRET_ID | jq -r '.auth.client_token')
echo "--- Unsetting VAULT_TOKEN"
unset VAULT_TOKEN
echo "--- Logging in with ROLE_TOKEN"
vault login $ROLE_TOKEN
echo "--- Enable secrets engine in $NS"
vault secrets enable -namespace=$NS -path secrets kv
echo "--- Creating secret"
vault kv put -namespace=$NS secrets/test color=blue number=eleventeen
echo "--- Retrieving secret"
vault kv get -namespace=$NS secrets/test
Raw
test_approle_namespace_parent.sh
#!/bin/bash
export VAULT_TOKEN="<root>"
export NS="TEST-NAMESPACE"
vault namespace create $NS
vault auth enable approle
# create policy
echo "--- Writing ns-admin policy"
echo '# Read TEST-NAMESPACE Namespace
path "TEST-NAMESPACE/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# AppRole policy
path "TEST-NAMESPACE/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "TEST-NAMESPACE/sys/capabilities-self"
{
capabilities = ["update"]
}' | vault policy write ns-admin-policy -
echo "--- Writing ns-admin role"
vault write auth/approle/role/ns-admin policies=ns-admin-policy
# Read role-id
echo "--- ROLE_ID"
ROLE_ID=$(vault read -format=json auth/approle/role/ns-admin/role-id | jq -r '.data.role_id')
# generate secret-id
echo "--- Getting SECRET_ID"
SECRET_ID=$(vault write -f -format=json auth/approle/role/ns-admin/secret-id | jq -r '.data.secret_id')
# login with role-id + secret-id
echo "--- Getting ROLE_TOKEN"
ROLE_TOKEN=$(vault write -format=json auth/approle/login role_id=$ROLE_ID secret_id=$SECRET_ID | jq -r '.auth.client_token')
echo "--- Unsetting VAULT_TOKEN"
unset VAULT_TOKEN
echo "--- Logging in with ROLE_TOKEN"
vault login $ROLE_TOKEN
echo "--- Enable secrets engine in $NS"
vault secrets enable -namespace=$NS -path secrets kv
echo "--- Creating secret"
vault kv put -namespace=$NS secrets/test color=blue number=eleventeen
echo "--- Retrieving secret"
vault kv get -namespace=$NS secrets/test
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment