Skip to content

Instantly share code, notes, and snippets.

@greenbrian

greenbrian/vault-token-role-via-api.sh

Last active January 23, 2024 15:10
Show Gist options
  • Star 20 You must be signed in to star a gist
  • Fork 10 You must be signed in to fork a gist
  • Save greenbrian/efb6a0ae043c41b10b47471105762a18 to your computer and use it in GitHub Desktop.
Save greenbrian/efb6a0ae043c41b10b47471105762a18 to your computer and use it in GitHub Desktop.
Download ZIP
HashiCorp Vault Token Role overview
Raw
vault-token-role-via-api.sh
# start vault in dev mode
VAULT_UI=true vault server -dev -dev-root-token-id="password"
# write some secrets for our example usage
curl --request POST \
--silent \
--header "X-Vault-Token: password" \
--header "Content-Type: application/json" \
--data '{ "options": { "cas": 0 }, "data": { "username": "administrator", "password": "hunter2" } }' \
http://127.0.0.1:8200/v1/secret/data/dev | jq '.'
{
"request_id": "91db245a-88ca-d48c-5dae-25bca34f5b69",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"created_time": "2018-05-05T18:19:20.613156769Z",
"deletion_time": "",
"destroyed": false,
"version": 1
},
"wrap_info": null,
"warnings": null,
"auth": null
}
# create a policy named 'dev' allowing applications to read our secrets
echo '{
"policy": "path \"secret/data/dev\" { capabilities = [\"read\", \"list\"] }"
}' > dev-payload.json
curl --request PUT \
--header "X-Vault-Token: password" \
--data @dev-payload.json \
http://127.0.0.1:8200/v1/sys/policy/dev
# Next a token role needs to be created such that an orchestrator (such as a CI/CD tool)
# can generate tokens for our applications
# create a policy named 'orchestrator' allowing the orchestrator to create tokens
echo '{
"policy": "path \"auth/token/create/orchestrator\" { capabilities = [\"sudo\", \"create\", \"update\"] },
path \"auth/token/roles/orchestrator\" { capabilities = [\"read\"] }"
}' > orchestrator-payload.json
curl --request PUT \
--header "X-Vault-Token: password" \
--data @orchestrator-payload.json \
http://127.0.0.1:8200/v1/sys/policy/orchestrator
# create the orchestrator token role that is only allowed to create tokens with 'dev' policy
curl --request POST \
--silent \
--header "X-Vault-Token: password" \
--header "Content-Type: application/json" \
-d '{"allowed_policies":"dev","period":"36h"}' \
http://127.0.0.1:8200/v1/auth/token/roles/orchestrator
# create a token to be used by the orchestrator
curl --request POST \
--silent \
--header "X-Vault-Token: password" \
--header "Content-Type: application/json" \
--data '{"policies":["orchestrator"], "period":"72h"}' \
http://127.0.0.1:8200/v1/auth/token/create | jq '.auth.client_token'
"e7806d92-edda-b394-de06-3aee064183af"
# orchestrator creates a wrapped one time use token for use by the application
curl --request POST \
--silent \
--header "X-Vault-Token: e7806d92-edda-b394-de06-3aee064183af" \
--header "X-Vault-Wrap-TTL:5m" \
--header "Content-Type: application/json" \
--data '{"policies":["dev"],"period":"72h"}' \
http://127.0.0.1:8200/v1/auth/token/create/orchestrator | jq '.wrap_info.token'
"ead63668-79a9-869f-44e3-87ac347465a0"
# unwrap the resulting application client token
curl --request POST \
--silent \
--header "X-Vault-Token: ead63668-79a9-869f-44e3-87ac347465a0" \
--header "Content-Type: application/json" \
http://127.0.0.1:8200/v1/sys/wrapping/unwrap | jq '.auth.client_token'
"1bc3b249-de0d-b009-2a54-7558169eb340"
# the application can use the unwrapped token to read secrets
curl --request GET \
--silent \
--header "X-Vault-Token: 1bc3b249-de0d-b009-2a54-7558169eb340" \
--header "Content-Type: application/json" \
http://127.0.0.1:8200/v1/secret/data/dev | jq '.data.data'
{
"password": "hunter2",
"username": "administrator"
}
Raw
vault-token-role-via-cli.sh
# start vault in dev mode
VAULT_UI=true vault server -dev -dev-root-token-id="password"
# auth with root password
vault login password
# create some secrets
vault kv put secret/dev username=administrator password=hunter2
Key Value
--- -----
created_time 2018-05-05T17:47:56.479637796Z
deletion_time n/a
destroyed false
version 1
# read the secrets
vault kv get secret/dev
====== Metadata ======
Key Value
--- -----
created_time 2018-05-05T17:47:56.479637796Z
deletion_time n/a
destroyed false
version 1
====== Data ======
Key Value
--- -----
password hunter2
username administrator
# write a dev policy
echo 'path "secret/data/dev" { capabilities = ["read", "list"]
}' | vault policy write dev -
Success! Uploaded policy: dev
# read the policy
vault policy read dev
path "secret/data/dev" { capabilities = ["read", "list"]
}
# create an orchestrator policy
echo 'path "auth/token/create/orchestrator" { capabilities = ["sudo", "create", "update"] }
path "auth/token/roles/orchestrator" { capabilities = ["read"] }' \
| vault policy write orchestrator -
# read the policy
vault policy read orchestrator
path "auth/token/create/orchestrator" { capabilities = ["sudo", "create", "list"] }
path "auth/token/roles/orchestrator" { capabilities = ["read"] }
# create the token role
vault write auth/token/roles/orchestrator allowed_policies=dev period=36h
Success! Data written to: auth/token/roles/orchestrator
# create a token to be used by the orchestrator
vault token create -policy=orchestrator -ttl=72h
Key Value
--- -----
token 1fe40007-94ab-2e21-6e53-f17db54d5787
token_accessor a55f1081-ff93-a8d9-1781-a92bd68a4b8c
token_duration 72h
token_renewable true
token_policies [default orchestrator]
# authenticate as the orchestrator
vault login 1fe40007-94ab-2e21-6e53-f17db54d5787
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token 1fe40007-94ab-2e21-6e53-f17db54d5787
token_accessor a55f1081-ff93-a8d9-1781-a92bd68a4b8c
token_duration 71h57m47s
token_renewable true
token_policies [default orchestrator]
# orchestrator creates a wrapped one time use token for use by the application
vault token create -role=orchestrator -policy=dev -ttl=72h -wrap-ttl=5m
Key Value
--- -----
wrapping_token: 8ee2fc7c-70c7-0397-ebf7-3dbc57dae817
wrapping_accessor: 15ffbe0f-7c62-c7ac-07ca-b688922eb894
wrapping_token_ttl: 5m
wrapping_token_creation_time: 2018-05-05 13:06:06.199452187 -0500 CDT
wrapping_token_creation_path: auth/token/create/orchestrator
wrapped_accessor: 7b9c6d6e-dce2-1d12-8afd-ba009fab656f
# unwrap the token
vault unwrap 8ee2fc7c-70c7-0397-ebf7-3dbc57dae817
Key Value
--- -----
token dcf7d015-818f-14f7-9253-8fddb7ac30cc
token_accessor 7b9c6d6e-dce2-1d12-8afd-ba009fab656f
token_duration 36h
token_renewable true
token_policies [default dev]
# authenticate using the authentication token
vault login dcf7d015-818f-14f7-9253-8fddb7ac30cc
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token dcf7d015-818f-14f7-9253-8fddb7ac30cc
token_accessor 7b9c6d6e-dce2-1d12-8afd-ba009fab656f
token_duration 35h57m34s
token_renewable true
token_policies [default dev]
# read our secrets
vault kv get secret/dev
====== Metadata ======
Key Value
--- -----
created_time 2018-05-05T17:47:56.479637796Z
deletion_time n/a
destroyed false
version 1
====== Data ======
Key Value
--- -----
password hunter2
username administrator
# try to unwrap the original wrapped token
vault unwrap 8ee2fc7c-70c7-0397-ebf7-3dbc57dae817
Error unwrapping: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/sys/wrapping/unwrap
Code: 400. Errors:
* wrapping token is not valid or does not exist
## The above attempt should trigger an alert via audit log in your event logging mechanism
## that there was an attempt to use a wrapped token
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment