Okta and Vault Test Credential Automation

cleanup_okta_users.sh

#!/bin/bash

# You should have these envvars setup already
# VAULT_ADDR="https://your-vault-address"
# VAULT_TOKEN="your-vault-token"

# Define Okta and Vault configuration variables
OKTA_DOMAIN="yourOktaDomain"
VAULT_API_TOKEN_PATH="secret/data/okta/api_token"
VAULT_USER_CREDS_PATH="secret/data/okta/users"
PROFILE_URL="https://testuser.org/profile" # URL to filter test users
RETENTION_DAYS=7 # Retention period in days

# Function to log errors
log_error() {
    echo "[ERROR] $1"
}

# Function to pull API token from Vault
get_api_token() {
    echo "Retrieving API token from Vault..."
    API_TOKEN_RESPONSE=$(curl -s --header "X-Vault-Token: ${VAULT_TOKEN}" \
        "${VAULT_ADDR}/v1/${VAULT_API_TOKEN_PATH}")
    API_TOKEN=$(echo "${API_TOKEN_RESPONSE}" | jq -r '.data.data.api_token')

    if [[ "${API_TOKEN}" == "null" || -z "${API_TOKEN}" ]]; then
        log_error "Failed to retrieve API token from Vault. Response: ${API_TOKEN_RESPONSE}"
        exit 1
    fi
    echo "API token retrieved successfully."
}

# Function to delete a user from Okta
delete_user() {
    local user_id=$1
    echo "Deleting user with ID: ${user_id}"
    DELETE_RESPONSE=$(curl -s -X DELETE "https://${OKTA_DOMAIN}/api/v1/users/${user_id}" \
        -H "Accept: application/json" \
        -H "Authorization: SSWS ${API_TOKEN}")

    if [[ ! -z "${DELETE_RESPONSE}" ]]; then
        log_error "Failed to delete user with ID: ${user_id}. Response: ${DELETE_RESPONSE}"
    else
        echo "User with ID: ${user_id} deleted successfully."
    fi
}

# Function to delete user credentials from Vault
delete_user_creds_from_vault() {
    local user_email=$1
    echo "Deleting user credentials for ${user_email} from Vault..."
    DELETE_RESPONSE=$(curl -s --header "X-Vault-Token: ${VAULT_TOKEN}" \
        --request DELETE \
        "${VAULT_ADDR}/v1/${VAULT_USER_CREDS_PATH}/${user_email}")

    if [[ $(echo "${DELETE_RESPONSE}" | jq -r '.errors') != "null" ]]; then
        log_error "Failed to delete user credentials from Vault for ${user_email}. Response: ${DELETE_RESPONSE}"
    else
        echo "User credentials for ${user_email} deleted from Vault successfully."
    fi
}

# Function to list and delete users based on profileUrl and retention period
cleanup_users() {
    echo "Listing users for cleanup..."
    USERS_RESPONSE=$(curl -s -X GET "https://${OKTA_DOMAIN}/api/v1/users" \
        -H "Accept: application/json" \
        -H "Authorization: SSWS ${API_TOKEN}")

    CURRENT_DATE=$(date +%s)
    RETENTION_SECONDS=$((RETENTION_DAYS * 86400))

    echo "${USERS_RESPONSE}" | jq -c '.[]' | while read -r user; do
        user_id=$(echo "${user}" | jq -r '.id')
        user_profile_url=$(echo "${user}" | jq -r '.profile.profileUrl')
        user_email=$(echo "${user}" | jq -r '.profile.email')
        user_created=$(echo "${user}" | jq -r '.created')
        user_created_epoch=$(date -d "${user_created}" +%s)
        user_age=$((CURRENT_DATE - user_created_epoch))

        if [[ "${user_profile_url}" == "${PROFILE_URL}" && ${user_age} -gt ${RETENTION_SECONDS} ]]; then
            delete_user "${user_id}"
            delete_user_creds_from_vault "${user_email}"
        fi
    done
}

# Main script execution
get_api_token
cleanup_users

echo "User cleanup complete."

create_and_store_api_token.sh

#!/bin/bash

# You should have these envvars setup already
# VAULT_ADDR="https://your-vault-address"
# VAULT_TOKEN="your-vault-token"
# ADMIN_PASSWORD="SuperAdminPassword"

# Define Okta and Vault configuration variables
OKTA_DOMAIN="yourOktaDomain"
ADMIN_USERNAME="admin@example.com"
VAULT_API_TOKEN_PATH="secret/data/okta/api_token"

# Function to log errors
log_error() {
    echo "[ERROR] $1"
}

# Function to create an API token
create_api_token() {
    echo "Creating API token..."
    SESSION_TOKEN=$(curl -s -X POST "https://${OKTA_DOMAIN}/api/v1/authn" \
        -H "Accept: application/json" \
        -H "Content-Type: application/json" \
        -d '{
              "username": "'"${ADMIN_USERNAME}"'",
              "password": "'"${ADMIN_PASSWORD}"'"
            }' | jq -r '.sessionToken')

    if [[ "${SESSION_TOKEN}" == "null" || -z "${SESSION_TOKEN}" ]]; then
        log_error "Failed to authenticate admin. Check username and password."
        exit 1
    fi

    API_TOKEN=$(curl -s -X POST "https://${OKTA_DOMAIN}/api/v1/tokens" \
        -H "Accept: application/json" \
        -H "Authorization: SSWS ${SESSION_TOKEN}" \
        -d '{
              "name": "QA Automation Token"
            }' | jq -r '.token')

    if [[ "${API_TOKEN}" == "null" || -z "${API_TOKEN}" ]]; then
        log_error "Failed to create API token."
        exit 1
    fi
    echo "API token created successfully."
}

# Function to store API token in Vault
store_api_token_in_vault() {
    echo "Storing API token in Vault..."
    STORE_RESPONSE=$(curl -s --header "X-Vault-Token: ${VAULT_TOKEN}" \
        --request POST \
        --data '{"data": {"api_token": "'"${API_TOKEN}"'"}}' \
        "${VAULT_ADDR}/v1/${VAULT_API_TOKEN_PATH}")

    if [[ $(echo "${STORE_RESPONSE}" | jq -r '.errors') != "null" ]]; then
        log_error "Failed to store API token in Vault. Response: ${STORE_RESPONSE}"
        exit 1
    fi
    echo "API token stored in Vault successfully."
}

# Main script execution
create_api_token
store_api_token_in_vault

echo "API token creation and storage complete."

create_okta_user.sh

#!/bin/bash

# You should have these env vars setup already
# VAULT_ADDR="https://your-vault-address"
# VAULT_TOKEN="your-vault-token"

# Define Okta and Vault configuration variables
OKTA_DOMAIN="yourOktaDomain"

VAULT_API_TOKEN_PATH="secret/data/okta/api_token"
GROUP_NAME="yourGroupName"
VAULT_USER_CREDS_PATH="secret/data/okta/users"

# Function to log errors
log_error() {
    echo "[ERROR] $1"
}

# Function to pull API token from Vault
get_api_token() {
    echo "Retrieving API token from Vault..."
    API_TOKEN_RESPONSE=$(curl -s --header "X-Vault-Token: ${VAULT_TOKEN}" \
        "${VAULT_ADDR}/v1/${VAULT_API_TOKEN_PATH}")
    API_TOKEN=$(echo "${API_TOKEN_RESPONSE}" | jq -r '.data.data.api_token')

    if [[ "${API_TOKEN}" == "null" || -z "${API_TOKEN}" ]]; then
        log_error "Failed to retrieve API token from Vault. Response: ${API_TOKEN_RESPONSE}"
        exit 1
    fi
    echo "API token retrieved successfully."
}

# Function to lookup Group ID by name
get_group_id() {
    echo "Looking up Group ID for group name: ${GROUP_NAME}..."
    GROUP_RESPONSE=$(curl -s -X GET "https://${OKTA_DOMAIN}/api/v1/groups?search=profile.name+eq+\"${GROUP_NAME}\"" \
        -H "Accept: application/json" \
        -H "Authorization: SSWS ${API_TOKEN}")

    GROUP_ID=$(echo "${GROUP_RESPONSE}" | jq -r '.[0].id')
    if [[ "${GROUP_ID}" == "null" || -z "${GROUP_ID}" ]]; then
        log_error "Failed to retrieve Group ID. Response: ${GROUP_RESPONSE}"
        exit 1
    fi
    echo "Group ID for '${GROUP_NAME}' is ${GROUP_ID}"
}

# Function to generate a random 32-character password
generate_password() {
    PASSWORD=$(openssl rand -base64 24 | tr -dc 'a-zA-Z0-9' | head -c 32)
    if [[ -z "${PASSWORD}" ]]; then
        log_error "Failed to generate password."
        exit 1
    fi
}

# Function to create a user
create_user() {
    echo "Creating user..."
    USER_RESPONSE=$(curl -s -X POST "https://${OKTA_DOMAIN}/api/v1/users?activate=true" \
        -H "Accept: application/json" \
        -H "Content-Type: application/json" \
        -H "Authorization: SSWS ${API_TOKEN}" \
        -d '{
              "profile": {
                "firstName": "'"${USER_FIRST_NAME}"'",
                "lastName": "'"${USER_LAST_NAME}"'",
                "email": "'"${USER_EMAIL}"'",
                "login": "'"${USER_EMAIL}"'"
              },
              "credentials": {
                "password" : { "value": "'"${PASSWORD}"'" }
              }
            }')

    USER_ID=$(echo "${USER_RESPONSE}" | jq -r '.id')
    if [[ "${USER_ID}" == "null" || -z "${USER_ID}" ]]; then
        log_error "Failed to create user. Response: ${USER_RESPONSE}"
        exit 1
    fi
    echo "User created with ID: ${USER_ID}"
}

# Function to assign the user to a group
assign_user_to_group() {
    echo "Assigning user to group..."
    ASSIGN_RESPONSE=$(curl -s -X PUT "https://${OKTA_DOMAIN}/api/v1/groups/${GROUP_ID}/users/${USER_ID}" \
        -H "Accept: application/json" \
        -H "Content-Type: application/json" \
        -H "Authorization: SSWS ${API_TOKEN}")

    if [[ ! -z "${ASSIGN_RESPONSE}" ]]; then
        log_error "Failed to assign user to group. Response: ${ASSIGN_RESPONSE}"
        exit 1
    fi
    echo "User assigned to group successfully."
}

# Function to store user credentials in Vault
store_user_creds_in_vault() {
    echo "Storing user credentials in Vault..."
    STORE_RESPONSE=$(curl -s --header "X-Vault-Token: ${VAULT_TOKEN}" \
        --request POST \
        --data '{"data": {"email": "'"${USER_EMAIL}"'", "password": "'"${PASSWORD}"'"}}' \
        "${VAULT_ADDR}/v1/${VAULT_USER_CREDS_PATH}/${USER_EMAIL}")

    if [[ $(echo "${STORE_RESPONSE}" | jq -r '.errors') != "null" ]]; then
        log_error "Failed to store user credentials in Vault. Response: ${STORE_RESPONSE}"
        exit 1
    fi
    echo "User credentials stored in Vault successfully."
}

# Main script execution
if [[ $# -ne 1 ]]; then
    echo "Usage: $0 <username>"
    exit 1
fi

USERNAME=$1
USER_EMAIL="${USERNAME}@example.com"
USER_FIRST_NAME="Test"
USER_LAST_NAME="User"

get_api_token
get_group_id
generate_password
create_user
assign_user_to_group
store_user_creds_in_vault

echo "Test user setup complete."
echo "User credentials stored at: ${VAULT_USER_CREDS_PATH}/${USER_EMAIL}"

Workflow of the Scripts to Create Test Users

Script 1: create_and_store_api_token.sh

1. Define Configuration Variables:

   • Set Okta and Vault configuration variables, including domain, admin credentials, Vault address, and Vault token path.

2. Create API Token:

   • Authenticate with Okta using admin credentials.
   • Create an API token.

3. Store API Token in Vault:

   • Use the Vault CLI to store the generated API token securely in Vault.

4. Output:

   • Confirmation of successful API token creation and storage in Vault.

Example Usage:

./create_and_store_api_token.sh

Script 2: create_and_store_user_creds.sh

1. Define Configuration Variables:

   • Set Okta and Vault configuration variables, including domain, group name, Vault address, and Vault token path.

2. Get API Token from Vault:

   • Retrieve the stored API token from Vault.

3. Get Group ID:

   • Look up the Group ID in Okta using the group name.

4. Generate Password:

   • Generate a random 32-character password for the new user.

5. Create User:

   • Create a new user in Okta with the generated password and specified profile information.

6. Assign User to Group:

   • Assign the newly created user to the specified group using the Group ID.

7. Store User Credentials in Vault:

   • Store the new user's email and generated password in Vault.

8. Output:

   • Confirmation of successful user creation, group assignment, and storage of credentials in Vault.
   • The path in Vault where the user credentials are stored is returned.

Example Usage:

./create_and_store_user_creds.sh testuser

Output:

Test user setup complete.
User credentials stored at: secret/data/okta/users/testuser@example.com

These scripts streamline the process of creating and managing test users in Okta, securely storing their credentials in Vault, and provide clear feedback on the operations performed.

⚠ Adjust configuration variables as needed to fit your environment.