mrzarquon/tailscale_oauth.sh Secret

## tailscale_oauth.sh
#!/bin/bash

set -euo pipefail

# run this awas `tailscale_oauth.sh "AWS ARN CONTAINING SECRET"`
# this assumes you're storing the full json response you get when you create an auth key and not just the secret

# set TS_API_CLIENT_ID and TS_API_CLIENT_SECRET

TS_SECRET_ARN="$1"

TS_SECRET_REGION="$(echo "$TS_SECRET_ARN"|cut -d':' -f4 )"

# we are reusing the existing token's capabilities so are only extracting/storing that and will die if it doesn't exist
TS_OLD_SECRET=$(aws secretsmanager get-secret-value --secret-id "$TS_SECRET_ARN" --output text --query SecretString --region "$TS_SECRET_REGION")
TS_OLD_SECRET_CAPABILITIES=$(echo "$TS_OLD_SECRET" | jq -rc '.capabilities')
TS_OLD_SECRET_ID=$(echo "$TS_OLD_SECRET" | jq -rc '.id')


# generating a new token payload with a 36 hour expiration window
# the original token in question is re-usable and this is meant to run every 24 hours
TOKEN_REQUEST="$(jq -rc --null-input --argjson existing_token "$TS_OLD_SECRET_CAPABILITIES" '{"capabilities":$existing_token,"expirySeconds":129600}')"

# get an bearer token
TS_BEARER_TOKEN=$(curl -s -d "client_id=${TS_API_CLIENT_ID}" -d "client_secret=${TS_API_CLIENT_SECRET}" "https://api.tailscale.com/api/v2/oauth/token" | jq -r '.access_token')

TS_AUTH_KEY_RESULT="$(curl -s -H "Content-Type: application/json" \
    -H "Authorization: Bearer $TS_BEARER_TOKEN" \
    --request POST \
    --data "${TOKEN_REQUEST}" \
    https://api.tailscale.com/api/v2/tailnet/-/keys)"

TS_KEY_ID=$(echo "$TS_AUTH_KEY_RESULT" | jq -rc .id)
TS_KEY_EXPIRATION=$(echo "$TS_AUTH_KEY_RESULT" | jq -rc .expires)

echo "Generated new key id: $TS_KEY_ID expires: $TS_KEY_EXPIRATION"

echo "Uploading new key to: ${TS_SECRET_ARN}"
AWS_SECRETSMANAGER_RESP=$(aws secretsmanager put-secret-value \
--secret-id "$TS_SECRET_ARN" \
--secret-string "${TS_AUTH_KEY_RESULT}" --region "$TS_SECRET_REGION" --output json)

AWS_SECRETSMANAGER_RESP_NAME=$(echo "$AWS_SECRETSMANAGER_RESP" | jq -rc '.Name')
AWS_SECRETSMANAGER_RESP_ID=$(echo "$AWS_SECRETSMANAGER_RESP" | jq -rc '.VersionId')

TS_SECRET_KEY_ID=$(aws secretsmanager get-secret-value --secret-id "$TS_SECRET_ARN" --output text --query SecretString --region "$TS_SECRET_REGION" | jq -rc '.id')

echo "AWS Secret ${AWS_SECRETSMANAGER_RESP_NAME} new TS_AUTH Key ID is: ${TS_SECRET_KEY_ID} with AWS Version ID: ${AWS_SECRETSMANAGER_RESP_ID}"

echo "Expiring old TS_AUTH Key ID: ${TS_OLD_SECRET_ID}"

curl -s -H "Content-Type: application/json" \
    -H "Authorization: Bearer $TS_BEARER_TOKEN" \
    --request DELETE \
    "https://api.tailscale.com/api/v2/tailnet/-/keys/${TS_OLD_SECRET_ID}"
	#!/bin/bash

	set -euo pipefail

	# run this awas `tailscale_oauth.sh "AWS ARN CONTAINING SECRET"`
	# this assumes you're storing the full json response you get when you create an auth key and not just the secret

	# set TS_API_CLIENT_ID and TS_API_CLIENT_SECRET

	TS_SECRET_ARN="$1"

	TS_SECRET_REGION="$(echo "$TS_SECRET_ARN"\|cut -d':' -f4 )"

	# we are reusing the existing token's capabilities so are only extracting/storing that and will die if it doesn't exist
	TS_OLD_SECRET=$(aws secretsmanager get-secret-value --secret-id "$TS_SECRET_ARN" --output text --query SecretString --region "$TS_SECRET_REGION")
	TS_OLD_SECRET_CAPABILITIES=$(echo "$TS_OLD_SECRET" \| jq -rc '.capabilities')
	TS_OLD_SECRET_ID=$(echo "$TS_OLD_SECRET" \| jq -rc '.id')


	# generating a new token payload with a 36 hour expiration window
	# the original token in question is re-usable and this is meant to run every 24 hours
	TOKEN_REQUEST="$(jq -rc --null-input --argjson existing_token "$TS_OLD_SECRET_CAPABILITIES" '{"capabilities":$existing_token,"expirySeconds":129600}')"

	# get an bearer token
	TS_BEARER_TOKEN=$(curl -s -d "client_id=${TS_API_CLIENT_ID}" -d "client_secret=${TS_API_CLIENT_SECRET}" "https://api.tailscale.com/api/v2/oauth/token" \| jq -r '.access_token')

	TS_AUTH_KEY_RESULT="$(curl -s -H "Content-Type: application/json" \
	-H "Authorization: Bearer $TS_BEARER_TOKEN" \
	--request POST \
	--data "${TOKEN_REQUEST}" \
	https://api.tailscale.com/api/v2/tailnet/-/keys)"

	TS_KEY_ID=$(echo "$TS_AUTH_KEY_RESULT" \| jq -rc .id)
	TS_KEY_EXPIRATION=$(echo "$TS_AUTH_KEY_RESULT" \| jq -rc .expires)

	echo "Generated new key id: $TS_KEY_ID expires: $TS_KEY_EXPIRATION"

	echo "Uploading new key to: ${TS_SECRET_ARN}"
	AWS_SECRETSMANAGER_RESP=$(aws secretsmanager put-secret-value \
	--secret-id "$TS_SECRET_ARN" \
	--secret-string "${TS_AUTH_KEY_RESULT}" --region "$TS_SECRET_REGION" --output json)

	AWS_SECRETSMANAGER_RESP_NAME=$(echo "$AWS_SECRETSMANAGER_RESP" \| jq -rc '.Name')
	AWS_SECRETSMANAGER_RESP_ID=$(echo "$AWS_SECRETSMANAGER_RESP" \| jq -rc '.VersionId')

	TS_SECRET_KEY_ID=$(aws secretsmanager get-secret-value --secret-id "$TS_SECRET_ARN" --output text --query SecretString --region "$TS_SECRET_REGION" \| jq -rc '.id')

	echo "AWS Secret ${AWS_SECRETSMANAGER_RESP_NAME} new TS_AUTH Key ID is: ${TS_SECRET_KEY_ID} with AWS Version ID: ${AWS_SECRETSMANAGER_RESP_ID}"

	echo "Expiring old TS_AUTH Key ID: ${TS_OLD_SECRET_ID}"

	curl -s -H "Content-Type: application/json" \
	-H "Authorization: Bearer $TS_BEARER_TOKEN" \
	--request DELETE \
	"https://api.tailscale.com/api/v2/tailnet/-/keys/${TS_OLD_SECRET_ID}"