Skip to content

Instantly share code, notes, and snippets.

@flosell

flosell/cleanup.sh

Created September 24, 2017 15:57
Show Gist options
  • Save flosell/f744110ab30bd16f679f8c7254c22d11 to your computer and use it in GitHub Desktop.
Save flosell/f744110ab30bd16f679f8c7254c22d11 to your computer and use it in GitHub Desktop.
Download ZIP
This gist reproduces hashicorp/vault#3368
Raw
cleanup.sh
#!/usr/bin/env bash
function echob() {
echo -e "\033[1m$1\033[0m"
}
function delete_user() {
local username="$1"
echo "deleting ${username}"
aws iam delete-access-key --user-name ${username} --access-key-id $(jq -r .AccessKey.AccessKeyId ${username}-credentials.json)
aws iam delete-user --user-name ${username}
}
echob "WARNING: THIS CODE IS POSSIBLY INSECURE AND WILL MODIFY YOUR AWS ACCOUNT!"
echob " DO NOT USE YOUR PRODUCTION AWS ACCOUNT TO RUN THIS!"
echob " DO NOT HIT ENTER UNLESS YOU KNOW WHAT YOU ARE DOING!"
read
docker stop vault
docker rm vault
delete_user some-user-without-path
delete_user some-user-with-path
Raw
reproduce-vault-issue-3368.sh
#!/usr/bin/env bash
VAULT_VERSION="0.7.3"
function die() {
echo $@
exit 1
}
function echob() {
echo -e "\033[1m$1\033[0m"
}
function create_user() {
local username="$1"
local path="$2"
if [ -z "${path}" ]; then
echob "creating ${username}"
local path_arg=""
else
echob "creating ${username} with path ${path}"
local path_arg="--path ${path}"
fi
aws iam create-user --user-name ${username} ${path_arg} --output json > ${username}.json
aws iam create-access-key --user-name ${username} --output json > ${username}-credentials.json
VAULT_TOKEN=myroot vault_exec write auth/aws/role/${username} auth_type=iam bound_iam_principal_arn=$(jq -r .User.Arn ${username}.json)
}
function vault_login() {
local username="$1"
echob "Logging into vault as ${username}"
vault_exec auth -method=aws role=${username} \
aws_access_key_id="$(jq -r .AccessKey.AccessKeyId ${username}-credentials.json)" \
aws_secret_access_key="$(jq -r .AccessKey.SecretAccessKey ${username}-credentials.json)"
}
function vault_exec() {
docker exec -it \
-e "VAULT_TOKEN=${VAULT_TOKEN}" \
-e "VAULT_ADDR=http://localhost:8200" \
vault \
vault $@
}
test -z "${AWS_ACCESS_KEY_ID}" && die "Expected AWS_ACCESS_KEY_ID to be set"
test -z "${AWS_SECRET_ACCESS_KEY}" && die "Expected AWS_SECRET_ACCESS_KEY to be set"
test -z "${VAULT_TOKEN}" || die "Expected VAULT_TOKEN not to be set"
echob "WARNING: THIS CODE IS POSSIBLY INSECURE AND WILL MODIFY YOUR AWS ACCOUNT!"
echob " DO NOT USE YOUR PRODUCTION AWS ACCOUNT TO RUN THIS!"
echob " DO NOT HIT ENTER UNLESS YOU KNOW WHAT YOU ARE DOING!"
read
echob "Starting vault container..."
docker run \
--name vault \
--detach \
--cap-add IPC_LOCK \
-e "VAULT_DEV_ROOT_TOKEN_ID=myroot" \
-e "AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}" \
-e "AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}" \
-e "AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}" \
vault:${VAULT_VERSION}
sleep 5 # Wait for vault to come up
VAULT_TOKEN=myroot vault_exec auth-enable aws
create_user "some-user-without-path"
create_user "some-user-with-path" "/somepath/"
sleep 10 # Apparently it takes a while settings to propagate...
vault_login "some-user-without-path"
echo
echob "Trying to renew-token as some-user-without-path, expecting this to succeed"
vault_exec token-renew
echo
echo
vault_login "some-user-with-path"
echo
echob "Trying to renew-token as some-user-with-path, this probably fails"
vault_exec token-renew
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment