Created
April 1, 2020 21:56
-
-
Save vishalnayak/44138cac6b984aacd761014f6d7ffbc2 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -aex | |
pkill -9 vault || true | |
sleep 2s | |
tee /tmp/config.hcl <<EOF | |
storage "inmem" {} | |
listener "tcp" { | |
address = "127.0.0.1:8200" | |
tls_disable = "true" | |
} | |
api_addr = "http://127.0.0.1:8200" | |
pid_file = "/tmp/vault.pid" | |
EOF | |
vault server -config /tmp/config.hcl > /tmp/config.log 2>&1 & | |
while ! nc -w 1 localhost 8200 </dev/null; do sleep 1; done | |
initResponse=$(vault operator init -format=json -key-shares 1 -key-threshold 1) | |
unsealKey=$(echo $initResponse | jq -r '.unseal_keys_b64[0]') | |
rootToken=$(echo $initResponse| jq -r '.root_token') | |
vault operator unseal $unsealKey | |
sleep 3s | |
vault login $rootToken | |
vault policy write control-group-read -<<EOF | |
path "kv/*" { | |
capabilities = [ "read" ] | |
control_group = { | |
factor "authorizer" { | |
identity { | |
group_names = [ "approver_group" ] | |
approvals = 1 | |
} | |
} | |
} | |
} | |
EOF | |
vault policy write approvers-policy -<<EOF | |
# To approve the request | |
path "sys/control-group/authorize" { | |
capabilities = ["create", "update"] | |
} | |
# To check control group request status | |
path "sys/control-group/request" { | |
capabilities = ["create", "update"] | |
} | |
EOF | |
vault secrets enable kv | |
vault kv put kv/secret secret1="this-secret" | |
vault auth enable userpass | |
userpassAccessor=$(vault auth list -format=json | jq -r '.["userpass/"].accessor') | |
vault write auth/userpass/users/reader password="reader" policies="control-group-read" | |
readerEntityID=$(vault write -format=json identity/entity name="Reader" policies="control-group-read" | jq -r ".data.id") | |
vault write identity/entity-alias name="reader" canonical_id=$readerEntityID mount_accessor=$userpassAccessor | |
readerToken=$(vault write -format json auth/userpass/login/reader password=reader | jq -r '.auth.client_token') | |
vault write auth/userpass/users/approver password="approver" | |
approverEntityID=$(vault write -format=json identity/entity name="approver" \ policies="default" | jq -r ".data.id") | |
vault write identity/entity-alias name="approver" canonical_id=$approverEntityID mount_accessor=$userpassAccessor | |
vault write identity/group name="approver_group" policies="approvers-policy" member_entity_ids=$approverEntityID | |
approverToken=$(vault write -format json auth/userpass/login/approver password=approver| jq -r '.auth.client_token') | |
vault audit enable file file_path=/tmp/vaultaudit.log | |
wrappedResponse=$(VAULT_TOKEN=$readerToken vault kv get -format json kv/secret) | |
wrappingAccessor=$(echo -n $wrappedResponse | jq -r '.wrap_info.accessor') | |
wrappingToken=$(echo -n $wrappedResponse | jq -r '.wrap_info.token') | |
VAULT_TOKEN=$approverToken vault write sys/control-group/authorize accessor=$wrappingAccessor | |
VAULT_TOKEN=$readerToken vault unwrap $wrappingToken |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment