Created
November 14, 2018 10:27
-
-
Save roooms/32dd2b6e1c5cf98a7c71748d37184482 to your computer and use it in GitHub Desktop.
Vault Namespaces & Groups
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| set -e | |
| set -x | |
| export VAULT_ADDR='http://127.0.0.1:8200' | |
| export VAULT_TOKEN='root' | |
| vault login root | |
| # create namespaces | |
| vault namespace create team1 | |
| vault namespace create team2 | |
| vault namespace create team3 | |
| # install policy | |
| vault policy write admin admin.hcl | |
| for team in team1 team2 team3; do | |
| vault policy write -ns="${team}" ${team} ${team}.hcl | |
| done | |
| # create groups | |
| vault write identity/group name="admin" policies="admin" type="internal" | |
| for team in team1 team2 team3; do | |
| # create root groups | |
| vault write -format="json" identity/group name="${team}_root" type="internal" | jq -r ".data.id" | tee ${team}_root_id.txt | |
| # create namespace group and add root group as a member | |
| vault write -ns="${team}" identity/group name="${team}" policies="${team}" type="internal" member_group_ids="$(cat ${team}_root_id.txt)" | |
| done | |
| # enable root level auth method and users | |
| vault auth enable userpass | |
| vault write auth/userpass/users/alice password="password" | |
| vault write auth/userpass/users/brian password="password" policies="admin" | |
| vault write auth/userpass/users/chris password="password" | |
| vault write auth/userpass/users/donna password="password" | |
| # lookup userpass auth method accessor and tee to file | |
| vault auth list -format="json" | jq -r '.["userpass/"].accessor' | tee userpass_accessor.txt | |
| # create entities and aliases | |
| for user in alice brian chris donna; do | |
| # create entities and assign entity id to variable | |
| vault write -format="json" identity/entity name="${user}" type="internal" | jq -r ".data.id" | tee ${user}_entity_id.txt | |
| # create entity aliases linking userpass user id to entity id | |
| vault write identity/entity-alias name="${user}" canonical_id="$(cat ${user}_entity_id.txt)" mount_accessor="$(cat userpass_accessor.txt)" | |
| done | |
| # map entities to root groups | |
| vault write identity/group name="team1_root" member_entity_ids="$(cat alice_entity_id.txt)" | |
| vault write identity/group name="team1_root" member_entity_ids="$(cat brian_entity_id.txt)" | |
| vault write identity/group name="team2_root" member_entity_ids="$(cat chris_entity_id.txt)" | |
| vault write identity/group name="team3_root" member_entity_ids="$(cat donna_entity_id.txt)" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment