git-remote-vault

#!/bin/sh

# input: vault//path:rolename:251358111@github.com/Org/Repo.git
#      vaultpath ^        ^       ^ request token for this repo ID
#                          \- token login to this role
# convert it in to vvvvvvvvvvvvvvvv
# https://x-access-token:$(vault write -field token /github/token repository_ids=251358111 permissions=contents=read)@github.com/Org/Repo.git

target=$2

set -eu

stripped=$(echo "$target" | sed -e 's#^vault://##')
httpuser=x-access-token
vaultpath=$(echo "$stripped" | cut -d: -f1)
role=$(echo "$stripped" | cut -d: -f2)
repoid=$(echo "$stripped" | cut -d: -f3 | cut -d@ -f1)
repo=$(echo "$stripped" | cut -d@ -f2-)

echo "---> Provisioning ephemeral token for $repo" >&2

vault_creds=$(vault token create \
    -display-name=buildkite \
    -format=json \
    -role "$role")
VAULT_TOKEN=$(jq -r .auth.client_token <<<"$vault_creds")
export VAULT_TOKEN

finish() {
    echo "--> Revoking my token..." >&2
    vault token revoke -self >&2
}
trap finish EXIT

token=$(vault write -field token "/$vaultpath/token" "repository_ids=$repoid" permissions=contents=read)

set +e
git remote-https "$1" "https://$httpuser:$token@$repo"
exitcode=$?
echo "    ... expiring token" >&2
exit $exitcode