Skip to content

Instantly share code, notes, and snippets.

@magiconair
Created July 26, 2016 20:54
Show Gist options
  • Save magiconair/d0a5f8bf8605f1c21064132edd7344e1 to your computer and use it in GitHub Desktop.
Save magiconair/d0a5f8bf8605f1c21064132edd7344e1 to your computer and use it in GitHub Desktop.
#!/bin/bash
set -o nounset
function log() {
echo
echo "========================================================================="
echo "== $@"
echo "=="
}
if [[ -z "$VAULT_TOKEN" || -z "$VAULT_ADDR" ]] ; then
echo "Both VAULT_ADDR and VAULT_TOKEN must be set"
exit 1
fi
# create/overwrite policy
log "Writing fabio policy"
cat << EOF | vault policy-write fabio -
path "secret/fabio/*" {
capabilities = ["read"]
}
path "auth/token/lookup-self" {
capabilities = ["read"]
}
path "auth/token/create" {
capabilities = ["update"]
}
EOF
# echo stored policy
log "Reading fabio policy"
vault policies fabio
# write a secret
log "Writing secret"
vault write secret/fabio/certs foo=bar
log "Reading secret"
vault read secret/fabio/certs
# create a non-renewable short-lived bootstrap token
log "Creating bootstrap token"
BOOTSTRAP_TOKEN=$(vault token-create -policy=fabio -ttl=1s -renewable=false | grep 'token ' | awk '{print $2;}')
log "Reading bootstrap token"
vault token-lookup ${BOOTSTRAP_TOKEN}
log "Testing bootstrap token"
VAULT_TOKEN=${BOOTSTRAP_TOKEN} vault read secret/fabio/certs
# create a renewable child token
log "Creating fabio token"
FABIO_TOKEN=$(VAULT_TOKEN=${BOOTSTRAP_TOKEN} vault token-create -ttl=1h -renewable=true | grep 'token ' | awk '{print $2;}')
log "Reading fabio token"
vault token-lookup ${FABIO_TOKEN}
log "Testing fabio token"
VAULT_TOKEN=${FABIO_TOKEN} vault read secret/fabio/certs
# wait for bootstrap token to expire
log "Waiting for bootstrap token to expire"
sleep 2
# bootstrap should be expired
log "Testing bootstrap token (should fail)"
VAULT_TOKEN=${BOOTSTRAP_TOKEN} vault read secret/fabio/certs
# fabio token should still work
log "Testing fabio token (should work)"
VAULT_TOKEN=${FABIO_TOKEN} vault read secret/fabio/certs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment