magiconair/vault-token.sh

## vault-token.sh
#!/bin/bash

set -o nounset

function log() {
	echo
	echo "========================================================================="
	echo "== $@"
	echo "=="
}

if [[ -z "$VAULT_TOKEN" || -z "$VAULT_ADDR" ]] ;  then
	echo "Both VAULT_ADDR and VAULT_TOKEN must be set"
	exit 1
fi

# create/overwrite policy
log "Writing fabio policy"
cat << EOF | vault policy-write fabio -
path "secret/fabio/*" {
  capabilities = ["read"]
}

path "auth/token/lookup-self" {
  capabilities = ["read"]
}

path "auth/token/create" {
  capabilities = ["update"]
}
EOF

# echo stored policy
log "Reading fabio policy"
vault policies fabio

# write a secret
log "Writing secret"
vault write secret/fabio/certs foo=bar

log "Reading secret"
vault read secret/fabio/certs

# create a non-renewable short-lived bootstrap token
log "Creating bootstrap token"
BOOTSTRAP_TOKEN=$(vault token-create -policy=fabio -ttl=1s -renewable=false | grep 'token ' | awk '{print $2;}')

log "Reading bootstrap token"
vault token-lookup ${BOOTSTRAP_TOKEN}

log "Testing bootstrap token"
VAULT_TOKEN=${BOOTSTRAP_TOKEN} vault read secret/fabio/certs

# create a renewable child token
log "Creating fabio token"
FABIO_TOKEN=$(VAULT_TOKEN=${BOOTSTRAP_TOKEN} vault token-create -ttl=1h -renewable=true | grep 'token ' | awk '{print $2;}')

log "Reading fabio token"
vault token-lookup ${FABIO_TOKEN}

log "Testing fabio token"
VAULT_TOKEN=${FABIO_TOKEN} vault read secret/fabio/certs

# wait for bootstrap token to expire
log "Waiting for bootstrap token to expire"
sleep 2

# bootstrap should be expired
log "Testing bootstrap token (should fail)"
VAULT_TOKEN=${BOOTSTRAP_TOKEN} vault read secret/fabio/certs

# fabio token should still work
log "Testing fabio token (should work)"
VAULT_TOKEN=${FABIO_TOKEN} vault read secret/fabio/certs
	#!/bin/bash

	set -o nounset

	function log() {
	echo
	echo "========================================================================="
	echo "== $@"
	echo "=="
	}

	if [[ -z "$VAULT_TOKEN" \|\| -z "$VAULT_ADDR" ]] ; then
	echo "Both VAULT_ADDR and VAULT_TOKEN must be set"
	exit 1
	fi

	# create/overwrite policy
	log "Writing fabio policy"
	cat << EOF \| vault policy-write fabio -
	path "secret/fabio/*" {
	capabilities = ["read"]
	}

	path "auth/token/lookup-self" {
	capabilities = ["read"]
	}

	path "auth/token/create" {
	capabilities = ["update"]
	}
	EOF

	# echo stored policy
	log "Reading fabio policy"
	vault policies fabio

	# write a secret
	log "Writing secret"
	vault write secret/fabio/certs foo=bar

	log "Reading secret"
	vault read secret/fabio/certs

	# create a non-renewable short-lived bootstrap token
	log "Creating bootstrap token"
	BOOTSTRAP_TOKEN=$(vault token-create -policy=fabio -ttl=1s -renewable=false \| grep 'token ' \| awk '{print $2;}')

	log "Reading bootstrap token"
	vault token-lookup ${BOOTSTRAP_TOKEN}

	log "Testing bootstrap token"
	VAULT_TOKEN=${BOOTSTRAP_TOKEN} vault read secret/fabio/certs

	# create a renewable child token
	log "Creating fabio token"
	FABIO_TOKEN=$(VAULT_TOKEN=${BOOTSTRAP_TOKEN} vault token-create -ttl=1h -renewable=true \| grep 'token ' \| awk '{print $2;}')

	log "Reading fabio token"
	vault token-lookup ${FABIO_TOKEN}

	log "Testing fabio token"
	VAULT_TOKEN=${FABIO_TOKEN} vault read secret/fabio/certs

	# wait for bootstrap token to expire
	log "Waiting for bootstrap token to expire"
	sleep 2

	# bootstrap should be expired
	log "Testing bootstrap token (should fail)"
	VAULT_TOKEN=${BOOTSTRAP_TOKEN} vault read secret/fabio/certs

	# fabio token should still work
	log "Testing fabio token (should work)"
	VAULT_TOKEN=${FABIO_TOKEN} vault read secret/fabio/certs