stenio123/console_1.sh

## console_1.sh
git clone https://github.com/stenio123/hashicorp-vault-token-auth-poc.git
cd hashicorp-vault-token-auth-poc
vagrant up

## console_10.sh
vault token-create -policy=production -wrap-ttl=20m

# Will output response (different token value):
Key                          	Value
---                          	-----
wrapping_token:              	d88d7612-14af-e58d-035f-f9446991bca4
wrapping_token_ttl:          	20m0s
wrapping_token_creation_time:	2016-09-02 11:33:08.021734288 -0400 EDT
wrapped_accessor:            	1cd465e7-67bd-7d75-385f-18afb47c489a

## console_11.sh
# Ensures that the ssh key has correct permissions
sudo chmod 400 ClientVM/ssh/unsafe_id_rsa
echo [single access token] | ssh -i ClientVM/ssh/unsafe_id_rsa -oStrictHostKeyChecking=no vagrant@192.168.0.51 "tee temporary-token.txt"

## console_12.sh
vagrant ssh client

export VAULT_TOKEN=`cat temporary-token.txt`

RESPONSE=$(curl -H "X-Vault-Token: $VAULT_TOKEN" -X GET http://192.168.0.50:8200/v1/cubbyhole/response)

## console_13.sh
curl -H "X-Vault-Token: $ACCESS_TOKEN" -X GET http://192.168.0.50:8200/v1/secret/production/password

## console_14.sh
curl -H "X-Vault-Token: $ACCESS_TOKEN" -X POST http://192.168.0.50:8200/v1/auth/token/renew-self

## console_15.sh
echo $RESPONSE | jq -r '.data.response | fromjson.auth.client_token' | ACCESS_TOKEN=-
# This sequence of commands uses shell pipes, where the output from the left is the input of the right:
# echo $RESPONSE
#   Outputs the wrapped token response
# jq -r '.data.response | fromjson.auth.client_token'
#   Uses jq to parse the json until response, and then parse again until client_token
# ACCESS_TOKEN=-
#   Inserts the output of the previous command in the environment variable ACCESS_TOKEN

## console_16.sh
# vault path-help [path you want help with]

# Example:
$ vault path-help auth/token
## DESCRIPTION

## PATHS

The following paths are supported by this backend. To view help for
any of the paths below, use the help command with any route matching
the path pattern. Note that depending on the policy of your auth token,
you may or may not be able to access certain paths.

    ^accessors/?$
        List token accessors, which can then be
        be used to iterate and discover their properities
        or revoke them. Because this can be used to
        cause a denial of service, this endpoint
        requires 'sudo' capability in addition to
        'list'.

    ^create$
        The token create path is used to create new tokens.

    ^create-orphan$
        The token create path is used to create new orphan tokens.

    ^create/(?P<role_name>\w[\w-.]+\w)$
        This token create path is used to create new tokens adhering to the given role.

    ^lookup(/(?P<urltoken>.+))?$
        This endpoint will lookup a token and its properties.

    ^lookup-accessor(/(?P<urlaccessor>.+))?$
        This endpoint will lookup a token associated with the given accessor and its properties. Response will not contain the token ID.

    ^lookup-self$
        This endpoint will lookup a token and its properties.
...

## console_17.sh
# For this example, you will need to have the aws-ec2 enabled by running
# $ vault auth-enable aws-ec2
$ vault path-help auth/aws-ec2/role/test

Request:        role/test
Matching Route: ^role/(?P<role>\w[\w-.]+\w)$

Create a role and associate policies to it.

## PARAMETERS

    allow_instance_migration (bool)
        If set, allows migration of the underlying instance where the client resides. This keys off of pendingTime in the metadata document, so essentially, this disables the client nonce check whenever the instance is migrated to a new host and pendingTime is newer than the previously-remembered time. Use with caution.

    bound_account_id (string)
        If set, defines a constraint on the EC2 instances that the account ID
        in its identity document to match the one specified by this parameter.

    bound_ami_id (string)
        If set, defines a constraint on the EC2 instances that they should be
        using the AMI ID specified by this parameter.

    bound_iam_role_arn (string)
        If set, defines a constraint on the EC2 instances that they should be using the IAM Role ARN specified by this parameter.

    disallow_reauthentication (bool)
        If set, only allows a single token to be granted per instance ID. In order to perform a fresh login, the entry in whitelist for the instance ID needs to be cleared using 'auth/aws-ec2/identity-whitelist/<instance_id>' endpoint.

    max_ttl (duration (sec))
        The maximum allowed lifetime of tokens issued using this role.

    policies (string)
        Policies to be set on tokens issued using this role.

    role (string)
        Name of the role.

    role_tag (string)
        If set, enables the role tags for this role. The value set for this field should be the 'key' of the tag on the EC2 instance. The 'value' of the tag should be generated using 'role/<role>/tag' endpoint. Defaults to an empty string, meaning that role tags are disabled.

    ttl (duration (sec))
        Duration in seconds after which the issued token should expire. Defaults
        to 0, in which case the value will fallback to the system/mount defaults.

## DESCRIPTION

A precondition for login is that a role should be created in the backend.
The login endpoint takes in the role name against which the instance
should be validated. After authenticating the instance, the authorization
for the instance to access Vault's resources is determined by the policies
that are associated to the role though this endpoint.

When the instances require only a subset of policies on the role, then
'role_tag' option on the role can be enabled to create a role tag via the
endpoint 'role/<role>/tag'. This tag then needs to be applied on the
instance before it attempts a login. The policies on the tag should be a
subset of policies that are associated to the role. In order to enable
login using tags, 'role_tag' option should be set while creating a role.

Also, a 'max_ttl' can be configured in this endpoint that determines the maximum
duration for which a login can be renewed. Note that the 'max_ttl' has an upper
limit of the 'max_ttl' value on the backend's mount.

## console_2.sh
vagrant ssh vault

## console_3.sh
# This runs Vault in the background. Output is sent to nohup.out
nohup ./vault server -config=sync/HashicorpVault/config.hcl &
# Press <enter> to see the Exit 1 status code

# Using the address defined in the above configuration file
export VAULT_ADDR=http://0.0.0.0:8200

# Initializes unseal tokens and root access token
./vault init

# If you want to avoid having to type "./" before executing Vault, you can add this folder to your PATH by executing:
export PATH=$PATH:`pwd`

## console_4.sh
vault unseal

## console_5.sh
vault auth [root token]

# Should return output:
Successfully authenticated! You are now logged in.
token: [root token]
token_duration: 0
token_policies: [root]

## console_6.sh
vault audit-enable file path=./vault_audit.log

## console_7.sh
vault mounts

## console_8.sh
vault policy-write production sync/HashicorpVault/policies/production.hcl
vault policy-write qa sync/HashicorpVault/policies/qa.hcl
vault policy-write development sync/HashicorpVault/policies/development.hcl

## console_9.sh
vault write secret/production/password value=MyProdPassword
vault write secret/production/qa value=MyQAPassword
vault write secret/production/development value=MyDevelopmentPassword

## output_1.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   569  100   569    0     0   223k      0 --:--:-- --:--:-- --:--:--  555k

## response_1.json
{
   "request_id":"940e5211-76f1-b33f-7130-af48e49c5a7c",
   "lease_id":"",
   "renewable":false,
   "lease_duration":0,
   "data":{
      "response":"{\"request_id\":\"f8b9ea99-2001-54db-3260-70b0c836aa7b\",\"lease_id\":\"\",\"renewable\":false,\"lease_duration\":0,\"data\":null,\"wrap_info\":null,\"warnings\":null,\"auth\":{\"client_token\":\"9d7b7da7-897c-bb8e-9729-c0b5f5d61b7f\",\"accessor\":\"2b66772e-775c-ef9e-1a02-30e711787a9f\",\"policies\":[\"default\",\"production\"],\"metadata\":null,\"lease_duration\":2592000,\"renewable\":true}}"
   },
   "wrap_info":null,
   "warnings":null,
   "auth":null
}

## response_2.json
{
   "request_id":"8196ade4-9589-8bbd-685c-ac29e44c349c",
   "lease_id":"",
   "renewable":false,
   "lease_duration":2592000,
   "data":{
      "value":"MyProdPassword"
   },
   "wrap_info":null,
   "warnings":null,
   "auth":null
}
	git clone https://github.com/stenio123/hashicorp-vault-token-auth-poc.git
	cd hashicorp-vault-token-auth-poc
	vagrant up
	vault token-create -policy=production -wrap-ttl=20m

	# Will output response (different token value):
	Key Value
	--- -----
	wrapping_token: d88d7612-14af-e58d-035f-f9446991bca4
	wrapping_token_ttl: 20m0s
	wrapping_token_creation_time: 2016-09-02 11:33:08.021734288 -0400 EDT
	wrapped_accessor: 1cd465e7-67bd-7d75-385f-18afb47c489a
	# Ensures that the ssh key has correct permissions
	sudo chmod 400 ClientVM/ssh/unsafe_id_rsa
	echo [single access token] \| ssh -i ClientVM/ssh/unsafe_id_rsa -oStrictHostKeyChecking=no vagrant@192.168.0.51 "tee temporary-token.txt"
	vagrant ssh client

	export VAULT_TOKEN=`cat temporary-token.txt`

	RESPONSE=$(curl -H "X-Vault-Token: $VAULT_TOKEN" -X GET http://192.168.0.50:8200/v1/cubbyhole/response)
	echo $RESPONSE \| jq -r '.data.response \| fromjson.auth.client_token' \| ACCESS_TOKEN=-
	# This sequence of commands uses shell pipes, where the output from the left is the input of the right:
	# echo $RESPONSE
	# Outputs the wrapped token response
	# jq -r '.data.response \| fromjson.auth.client_token'
	# Uses jq to parse the json until response, and then parse again until client_token
	# ACCESS_TOKEN=-
	# Inserts the output of the previous command in the environment variable ACCESS_TOKEN
	# vault path-help [path you want help with]

	# Example:
	$ vault path-help auth/token
	## DESCRIPTION

	## PATHS

	The following paths are supported by this backend. To view help for
	any of the paths below, use the help command with any route matching
	the path pattern. Note that depending on the policy of your auth token,
	you may or may not be able to access certain paths.

	^accessors/?$
	List token accessors, which can then be
	be used to iterate and discover their properities
	or revoke them. Because this can be used to
	cause a denial of service, this endpoint
	requires 'sudo' capability in addition to
	'list'.

	^create$
	The token create path is used to create new tokens.

	^create-orphan$
	The token create path is used to create new orphan tokens.

	^create/(?P<role_name>\w[\w-.]+\w)$
	This token create path is used to create new tokens adhering to the given role.

	^lookup(/(?P<urltoken>.+))?$
	This endpoint will lookup a token and its properties.

	^lookup-accessor(/(?P<urlaccessor>.+))?$
	This endpoint will lookup a token associated with the given accessor and its properties. Response will not contain the token ID.

	^lookup-self$
	This endpoint will lookup a token and its properties.
	...
	# For this example, you will need to have the aws-ec2 enabled by running
	# $ vault auth-enable aws-ec2
	$ vault path-help auth/aws-ec2/role/test

	Request: role/test
	Matching Route: ^role/(?P<role>\w[\w-.]+\w)$

	Create a role and associate policies to it.

	## PARAMETERS

	allow_instance_migration (bool)
	If set, allows migration of the underlying instance where the client resides. This keys off of pendingTime in the metadata document, so essentially, this disables the client nonce check whenever the instance is migrated to a new host and pendingTime is newer than the previously-remembered time. Use with caution.

	bound_account_id (string)
	If set, defines a constraint on the EC2 instances that the account ID
	in its identity document to match the one specified by this parameter.

	bound_ami_id (string)
	If set, defines a constraint on the EC2 instances that they should be
	using the AMI ID specified by this parameter.

	bound_iam_role_arn (string)
	If set, defines a constraint on the EC2 instances that they should be using the IAM Role ARN specified by this parameter.

	disallow_reauthentication (bool)
	If set, only allows a single token to be granted per instance ID. In order to perform a fresh login, the entry in whitelist for the instance ID needs to be cleared using 'auth/aws-ec2/identity-whitelist/<instance_id>' endpoint.

	max_ttl (duration (sec))
	The maximum allowed lifetime of tokens issued using this role.

	policies (string)
	Policies to be set on tokens issued using this role.

	role (string)
	Name of the role.

	role_tag (string)
	If set, enables the role tags for this role. The value set for this field should be the 'key' of the tag on the EC2 instance. The 'value' of the tag should be generated using 'role/<role>/tag' endpoint. Defaults to an empty string, meaning that role tags are disabled.

	ttl (duration (sec))
	Duration in seconds after which the issued token should expire. Defaults
	to 0, in which case the value will fallback to the system/mount defaults.

	## DESCRIPTION

	A precondition for login is that a role should be created in the backend.
	The login endpoint takes in the role name against which the instance
	should be validated. After authenticating the instance, the authorization
	for the instance to access Vault's resources is determined by the policies
	that are associated to the role though this endpoint.

	When the instances require only a subset of policies on the role, then
	'role_tag' option on the role can be enabled to create a role tag via the
	endpoint 'role/<role>/tag'. This tag then needs to be applied on the
	instance before it attempts a login. The policies on the tag should be a
	subset of policies that are associated to the role. In order to enable
	login using tags, 'role_tag' option should be set while creating a role.

	Also, a 'max_ttl' can be configured in this endpoint that determines the maximum
	duration for which a login can be renewed. Note that the 'max_ttl' has an upper
	limit of the 'max_ttl' value on the backend's mount.
	# This runs Vault in the background. Output is sent to nohup.out
	nohup ./vault server -config=sync/HashicorpVault/config.hcl &
	# Press <enter> to see the Exit 1 status code

	# Using the address defined in the above configuration file
	export VAULT_ADDR=http://0.0.0.0:8200

	# Initializes unseal tokens and root access token
	./vault init

	# If you want to avoid having to type "./" before executing Vault, you can add this folder to your PATH by executing:
	export PATH=$PATH:`pwd`
	vault auth [root token]

	# Should return output:
	Successfully authenticated! You are now logged in.
	token: [root token]
	token_duration: 0
	token_policies: [root]
	vault policy-write production sync/HashicorpVault/policies/production.hcl
	vault policy-write qa sync/HashicorpVault/policies/qa.hcl
	vault policy-write development sync/HashicorpVault/policies/development.hcl