mvisonneau/vault-aws-ec2-login

## vault-aws-ec2-login
#!/usr/bin/env bash

if [[ -z ${VAULT_ADDR} ]]; then
  echo "VAULT_ADDR must be set"
  exit 1
fi

pkcs7=$( curl -s http://169.254.169.254/latest/dynamic/instance-identity/pkcs7 | tr -d '\n' )
iam_instance_profile=$( curl -s http://169.254.169.254/latest/meta-data/iam/info | jq -r .InstanceProfileArn | cut -d '/' -f2 )
nonce=$( openssl rand -base64 36 )

# In order to request a role onto vault we prefer VAULT_AWS_ROLE or we default to instance profile otherwise
role="${VAULT_AWS_ROLE:-${iam_instance_profile}}"

result=$(
  curl -s -X POST "${VAULT_ADDR}/v1/auth/aws/login" \
    -d '{"role":"'"$role"'","pkcs7":"'"$pkcs7"'","nonce":"'"$nonce"'"}"'
)

token=$( jq -r .auth.client_token <<< "$result" )
errors=$( jq -r .errors <<< "$result" )
if [[ -n ${errors} ]]; then
  echo ${errors}
  exit 1
elif [[ -z ${token} ]]; then
  echo 'no error nor token returned from Vault'
  exit 1
else
  echo ${token}
fi

exit 0
	#!/usr/bin/env bash

	if [[ -z ${VAULT_ADDR} ]]; then
	echo "VAULT_ADDR must be set"
	exit 1
	fi

	pkcs7=$( curl -s http://169.254.169.254/latest/dynamic/instance-identity/pkcs7 \| tr -d '\n' )
	iam_instance_profile=$( curl -s http://169.254.169.254/latest/meta-data/iam/info \| jq -r .InstanceProfileArn \| cut -d '/' -f2 )
	nonce=$( openssl rand -base64 36 )

	# In order to request a role onto vault we prefer VAULT_AWS_ROLE or we default to instance profile otherwise
	role="${VAULT_AWS_ROLE:-${iam_instance_profile}}"

	result=$(
	curl -s -X POST "${VAULT_ADDR}/v1/auth/aws/login" \
	-d '{"role":"'"$role"'","pkcs7":"'"$pkcs7"'","nonce":"'"$nonce"'"}"'
	)

	token=$( jq -r .auth.client_token <<< "$result" )
	errors=$( jq -r .errors <<< "$result" )
	if [[ -n ${errors} ]]; then
	echo ${errors}
	exit 1
	elif [[ -z ${token} ]]; then
	echo 'no error nor token returned from Vault'
	exit 1
	else
	echo ${token}
	fi

	exit 0