IdentityDemo.sh

#!/bin/bash
#set -ae
set -x

# Create three different secrets in the KV store
vault write secret/path1 key1=secret1
vault write secret/path2 key2=secret2
vault write secret/path3 key3=secret3
vault write secret/path4 key4=secret4

# Create three different policies for reading each of the above secrets

read -r -d '' policy1 << EOF
path "secret/path1" {
	capabilities=["read"]
}
EOF

read -r -d '' policy2 << EOF
path "secret/path2" {
	capabilities=["read"]
}
EOF

read -r -d '' policy3 << EOF
path "secret/path3" {
	capabilities=["read"]
}
EOF

read -r -d '' policy4 << EOF
path "secret/path4" {
	capabilities=["read"]
}
EOF

vault write sys/policy/policy1 policy="$policy1"
vault write sys/policy/policy2 policy="$policy2"
vault write sys/policy/policy3 policy="$policy3"
vault write sys/policy/policy4 policy="$policy4"

# List out the policices
vault policies

# Enable LDAP auth backend
vault auth-enable ldap

# Fetch the accessor of the LDAP backend
accessor=$(vault read -format json sys/auth | jq -r '.data["ldap/"].accessor')
# Create an entity in identity store
entityID=$(vault write -f -field id identity/entity)

# Create an entity for the user "tesla"
vault write identity/entity-alias entity_id=$entityID name=tesla mount_accessor=$accessor

vault write auth/ldap/config \
			url=ldap://ldap.forumsys.com \
			userattr=uid \
			userdn=dc=example,dc=com \
			groupdn=dc=example,dc=com \
			binddn=cn=read-only-admin,dc=example,dc=com
vault write auth/ldap/groups/engineers policies=default

# Grant "policy1" to user "tesla"
vault write auth/ldap/users/tesla policies=policy1 groups=engineers

# Login to LDAP and get a token and use it to read the secrets
token=$(vault write -field token auth/ldap/login/tesla password=password)
vault token-lookup $token
VAULT_TOKEN=$token vault read secret/path1
VAULT_TOKEN=$token vault read secret/path2
VAULT_TOKEN=$token vault read secret/path3
VAULT_TOKEN=$token vault read secret/path4

# Grant "policy2" to the entity of user "tesla"
vault write identity/entity/id/$entityID policies=policy2

# Get another token and read the secrets
token=$(vault write -field token auth/ldap/login/tesla password=password)
vault token-lookup $token
VAULT_TOKEN=$token vault read secret/path1
VAULT_TOKEN=$token vault read secret/path2
VAULT_TOKEN=$token vault read secret/path3
VAULT_TOKEN=$token vault read secret/path4

# Create a group; add the entity of user "tesla" to that group; grant "policy3"
vault write -f identity/group member_entity_ids=$entityID policies=policy3

# Get another token and read the secrets
token=$(vault write -field token auth/ldap/login/tesla password=password)
vault token-lookup $token
VAULT_TOKEN=$token vault read secret/path1
VAULT_TOKEN=$token vault read secret/path2
VAULT_TOKEN=$token vault read secret/path3
VAULT_TOKEN=$token vault read secret/path4

# Create an external group; grant "policy4"
italiansGroupID=$(vault write -format json identity/group name=ldap_italians type=external policies=policy4 | jq -r '.data.id')

# Attach an alias that maps this group to the group in LDAP
vault write identity/group-alias canonical_id=$italiansGroupID mount_accessor=$accessor name=Italians

# Get another token and read the secrets
token=$(vault write -field token auth/ldap/login/tesla password=password)
vault token-lookup $token
VAULT_TOKEN=$token vault read secret/path1
VAULT_TOKEN=$token vault read secret/path2
VAULT_TOKEN=$token vault read secret/path3
VAULT_TOKEN=$token vault read secret/path4

vault read -format json identity/group/id/$italiansGroupID