-
-
Save mrzarquon/66f81b4e44ab0f8c23c4cdfab8891a9e to your computer and use it in GitHub Desktop.
A tl,dr gist that uses tailscale oauth token to recycle a secret in AWS just using curl, jq and aws cli
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -euo pipefail | |
# run this awas `tailscale_oauth.sh "AWS ARN CONTAINING SECRET"` | |
# this assumes you're storing the full json response you get when you create an auth key and not just the secret | |
# set TS_API_CLIENT_ID and TS_API_CLIENT_SECRET | |
TS_SECRET_ARN="$1" | |
TS_SECRET_REGION="$(echo "$TS_SECRET_ARN"|cut -d':' -f4 )" | |
# we are reusing the existing token's capabilities so are only extracting/storing that and will die if it doesn't exist | |
TS_OLD_SECRET=$(aws secretsmanager get-secret-value --secret-id "$TS_SECRET_ARN" --output text --query SecretString --region "$TS_SECRET_REGION") | |
TS_OLD_SECRET_CAPABILITIES=$(echo "$TS_OLD_SECRET" | jq -rc '.capabilities') | |
TS_OLD_SECRET_ID=$(echo "$TS_OLD_SECRET" | jq -rc '.id') | |
# generating a new token payload with a 36 hour expiration window | |
# the original token in question is re-usable and this is meant to run every 24 hours | |
TOKEN_REQUEST="$(jq -rc --null-input --argjson existing_token "$TS_OLD_SECRET_CAPABILITIES" '{"capabilities":$existing_token,"expirySeconds":129600}')" | |
# get an bearer token | |
TS_BEARER_TOKEN=$(curl -s -d "client_id=${TS_API_CLIENT_ID}" -d "client_secret=${TS_API_CLIENT_SECRET}" "https://api.tailscale.com/api/v2/oauth/token" | jq -r '.access_token') | |
TS_AUTH_KEY_RESULT="$(curl -s -H "Content-Type: application/json" \ | |
-H "Authorization: Bearer $TS_BEARER_TOKEN" \ | |
--request POST \ | |
--data "${TOKEN_REQUEST}" \ | |
https://api.tailscale.com/api/v2/tailnet/-/keys)" | |
TS_KEY_ID=$(echo "$TS_AUTH_KEY_RESULT" | jq -rc .id) | |
TS_KEY_EXPIRATION=$(echo "$TS_AUTH_KEY_RESULT" | jq -rc .expires) | |
echo "Generated new key id: $TS_KEY_ID expires: $TS_KEY_EXPIRATION" | |
echo "Uploading new key to: ${TS_SECRET_ARN}" | |
AWS_SECRETSMANAGER_RESP=$(aws secretsmanager put-secret-value \ | |
--secret-id "$TS_SECRET_ARN" \ | |
--secret-string "${TS_AUTH_KEY_RESULT}" --region "$TS_SECRET_REGION" --output json) | |
AWS_SECRETSMANAGER_RESP_NAME=$(echo "$AWS_SECRETSMANAGER_RESP" | jq -rc '.Name') | |
AWS_SECRETSMANAGER_RESP_ID=$(echo "$AWS_SECRETSMANAGER_RESP" | jq -rc '.VersionId') | |
TS_SECRET_KEY_ID=$(aws secretsmanager get-secret-value --secret-id "$TS_SECRET_ARN" --output text --query SecretString --region "$TS_SECRET_REGION" | jq -rc '.id') | |
echo "AWS Secret ${AWS_SECRETSMANAGER_RESP_NAME} new TS_AUTH Key ID is: ${TS_SECRET_KEY_ID} with AWS Version ID: ${AWS_SECRETSMANAGER_RESP_ID}" | |
echo "Expiring old TS_AUTH Key ID: ${TS_OLD_SECRET_ID}" | |
curl -s -H "Content-Type: application/json" \ | |
-H "Authorization: Bearer $TS_BEARER_TOKEN" \ | |
--request DELETE \ | |
"https://api.tailscale.com/api/v2/tailnet/-/keys/${TS_OLD_SECRET_ID}" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment