Last active
February 23, 2022 22:37
-
-
Save thsutton/a049a4c3f22704c1d8c55ef675043708 to your computer and use it in GitHub Desktop.
Get a Kerberos keytab from Hashicorp vault.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # vault-get-keytab | |
| # | |
| # Rather than verify that it’s exactly the keytab we expect, this script checks that it is | |
| # (or appears to be) a keytab for the required principal. | |
| set -eu | |
| $vault_path=“$1” | |
| $principal=“$2” | |
| $target=“$3” | |
| F=$(mktemp -s /tmp/keytab.XXXXXX) | |
| trap ... “rm -f $F” | |
| chmod 600 $F | |
| vault read --field token “$vault_path” | base64 --decode > $F | |
| # should we test that we CAN get a ticket? Or that we OUGHT to be able to? | |
| kinit -kt $F “$principal” | |
| kdestroy -q | |
| # or: klist -kt “$F” | grep -q “$principal” | |
| mv “$F” “$target” |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment