hashi-vault-commands.sh

# Make policies to access engine "my-custom-engine":

# "my-custom-engine-read":
path "my-custom-engine/*" {
  capabilities = ["read", "list"]
}

# "my-custom-engine-write":
path "my-custom-engine/*" {
  capabilities = ["create", "read", "update", "delete", "list", "patch"]
}



# Make a role to assign the policies to it:
vault write -tls-skip-verify auth/approle/role/my-custom-engine-role \
  token_policies="my-custom-engine-read,my-custom-engine-write" \
  token_ttl=0 \
  token_max_ttl=0 \
  secret_id_ttl=0 \
  policies="my-custom-engine-read,my-custom-engine-write"



# Get a role_id:
vault read auth/approle/role/my-custom-engine-role/role-id



# Generate role secret_id
vault write -force auth/approle/role/my-custom-engine-role/secret-id



# Generate client token anc check role policies:
curl \
    --request POST \
    --data '{ "role_id": "MY_ROLE_ID", "secret_id": "MY_SECRET_ID" }' \
    https://vault.example.cloud/v1/auth/approle/login | jq



# Try to read secret "test" with the token:
curl --header "X-Vault-Token: MY_TOKEN" \
  http://vault.example.cloud/v1/my-custom-engine/data/test | jq
  
  
  
# Get info about a token (including policies):
curl -H "X-Vault-Token: MY_TOKEN" http://vault.example.cloud/v1/auth/token/lookup-self | jq .data.policies