Created
September 24, 2017 15:57
-
-
Save flosell/f744110ab30bd16f679f8c7254c22d11 to your computer and use it in GitHub Desktop.
This gist reproduces hashicorp/vault#3368
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
function echob() { | |
echo -e "\033[1m$1\033[0m" | |
} | |
function delete_user() { | |
local username="$1" | |
echo "deleting ${username}" | |
aws iam delete-access-key --user-name ${username} --access-key-id $(jq -r .AccessKey.AccessKeyId ${username}-credentials.json) | |
aws iam delete-user --user-name ${username} | |
} | |
echob "WARNING: THIS CODE IS POSSIBLY INSECURE AND WILL MODIFY YOUR AWS ACCOUNT!" | |
echob " DO NOT USE YOUR PRODUCTION AWS ACCOUNT TO RUN THIS!" | |
echob " DO NOT HIT ENTER UNLESS YOU KNOW WHAT YOU ARE DOING!" | |
read | |
docker stop vault | |
docker rm vault | |
delete_user some-user-without-path | |
delete_user some-user-with-path | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
VAULT_VERSION="0.7.3" | |
function die() { | |
echo $@ | |
exit 1 | |
} | |
function echob() { | |
echo -e "\033[1m$1\033[0m" | |
} | |
function create_user() { | |
local username="$1" | |
local path="$2" | |
if [ -z "${path}" ]; then | |
echob "creating ${username}" | |
local path_arg="" | |
else | |
echob "creating ${username} with path ${path}" | |
local path_arg="--path ${path}" | |
fi | |
aws iam create-user --user-name ${username} ${path_arg} --output json > ${username}.json | |
aws iam create-access-key --user-name ${username} --output json > ${username}-credentials.json | |
VAULT_TOKEN=myroot vault_exec write auth/aws/role/${username} auth_type=iam bound_iam_principal_arn=$(jq -r .User.Arn ${username}.json) | |
} | |
function vault_login() { | |
local username="$1" | |
echob "Logging into vault as ${username}" | |
vault_exec auth -method=aws role=${username} \ | |
aws_access_key_id="$(jq -r .AccessKey.AccessKeyId ${username}-credentials.json)" \ | |
aws_secret_access_key="$(jq -r .AccessKey.SecretAccessKey ${username}-credentials.json)" | |
} | |
function vault_exec() { | |
docker exec -it \ | |
-e "VAULT_TOKEN=${VAULT_TOKEN}" \ | |
-e "VAULT_ADDR=http://localhost:8200" \ | |
vault \ | |
vault $@ | |
} | |
test -z "${AWS_ACCESS_KEY_ID}" && die "Expected AWS_ACCESS_KEY_ID to be set" | |
test -z "${AWS_SECRET_ACCESS_KEY}" && die "Expected AWS_SECRET_ACCESS_KEY to be set" | |
test -z "${VAULT_TOKEN}" || die "Expected VAULT_TOKEN not to be set" | |
echob "WARNING: THIS CODE IS POSSIBLY INSECURE AND WILL MODIFY YOUR AWS ACCOUNT!" | |
echob " DO NOT USE YOUR PRODUCTION AWS ACCOUNT TO RUN THIS!" | |
echob " DO NOT HIT ENTER UNLESS YOU KNOW WHAT YOU ARE DOING!" | |
read | |
echob "Starting vault container..." | |
docker run \ | |
--name vault \ | |
--detach \ | |
--cap-add IPC_LOCK \ | |
-e "VAULT_DEV_ROOT_TOKEN_ID=myroot" \ | |
-e "AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}" \ | |
-e "AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}" \ | |
-e "AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}" \ | |
vault:${VAULT_VERSION} | |
sleep 5 # Wait for vault to come up | |
VAULT_TOKEN=myroot vault_exec auth-enable aws | |
create_user "some-user-without-path" | |
create_user "some-user-with-path" "/somepath/" | |
sleep 10 # Apparently it takes a while settings to propagate... | |
vault_login "some-user-without-path" | |
echo | |
echob "Trying to renew-token as some-user-without-path, expecting this to succeed" | |
vault_exec token-renew | |
echo | |
echo | |
vault_login "some-user-with-path" | |
echo | |
echob "Trying to renew-token as some-user-with-path, this probably fails" | |
vault_exec token-renew |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment