Last active
May 12, 2018 02:44
-
-
Save vishalnayak/745e45a55631bfc7e027466a178ce282 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
#set -ae | |
set -x | |
# Create three different secrets in the KV store | |
vault write secret/path1 key1=secret1 | |
vault write secret/path2 key2=secret2 | |
vault write secret/path3 key3=secret3 | |
vault write secret/path4 key4=secret4 | |
# Create three different policies for reading each of the above secrets | |
read -r -d '' policy1 << EOF | |
path "secret/path1" { | |
capabilities=["read"] | |
} | |
EOF | |
read -r -d '' policy2 << EOF | |
path "secret/path2" { | |
capabilities=["read"] | |
} | |
EOF | |
read -r -d '' policy3 << EOF | |
path "secret/path3" { | |
capabilities=["read"] | |
} | |
EOF | |
read -r -d '' policy4 << EOF | |
path "secret/path4" { | |
capabilities=["read"] | |
} | |
EOF | |
vault write sys/policy/policy1 policy="$policy1" | |
vault write sys/policy/policy2 policy="$policy2" | |
vault write sys/policy/policy3 policy="$policy3" | |
vault write sys/policy/policy4 policy="$policy4" | |
# List out the policices | |
vault policies | |
# Enable LDAP auth backend | |
vault auth-enable ldap | |
# Fetch the accessor of the LDAP backend | |
accessor=$(vault read -format json sys/auth | jq -r '.data["ldap/"].accessor') | |
# Create an entity in identity store | |
entityID=$(vault write -f -field id identity/entity) | |
# Create an entity for the user "tesla" | |
vault write identity/entity-alias entity_id=$entityID name=tesla mount_accessor=$accessor | |
vault write auth/ldap/config \ | |
url=ldap://ldap.forumsys.com \ | |
userattr=uid \ | |
userdn=dc=example,dc=com \ | |
groupdn=dc=example,dc=com \ | |
binddn=cn=read-only-admin,dc=example,dc=com | |
vault write auth/ldap/groups/engineers policies=default | |
# Grant "policy1" to user "tesla" | |
vault write auth/ldap/users/tesla policies=policy1 groups=engineers | |
# Login to LDAP and get a token and use it to read the secrets | |
token=$(vault write -field token auth/ldap/login/tesla password=password) | |
vault token-lookup $token | |
VAULT_TOKEN=$token vault read secret/path1 | |
VAULT_TOKEN=$token vault read secret/path2 | |
VAULT_TOKEN=$token vault read secret/path3 | |
VAULT_TOKEN=$token vault read secret/path4 | |
# Grant "policy2" to the entity of user "tesla" | |
vault write identity/entity/id/$entityID policies=policy2 | |
# Get another token and read the secrets | |
token=$(vault write -field token auth/ldap/login/tesla password=password) | |
vault token-lookup $token | |
VAULT_TOKEN=$token vault read secret/path1 | |
VAULT_TOKEN=$token vault read secret/path2 | |
VAULT_TOKEN=$token vault read secret/path3 | |
VAULT_TOKEN=$token vault read secret/path4 | |
# Create a group; add the entity of user "tesla" to that group; grant "policy3" | |
vault write -f identity/group member_entity_ids=$entityID policies=policy3 | |
# Get another token and read the secrets | |
token=$(vault write -field token auth/ldap/login/tesla password=password) | |
vault token-lookup $token | |
VAULT_TOKEN=$token vault read secret/path1 | |
VAULT_TOKEN=$token vault read secret/path2 | |
VAULT_TOKEN=$token vault read secret/path3 | |
VAULT_TOKEN=$token vault read secret/path4 | |
# Create an external group; grant "policy4" | |
italiansGroupID=$(vault write -format json identity/group name=ldap_italians type=external policies=policy4 | jq -r '.data.id') | |
# Attach an alias that maps this group to the group in LDAP | |
vault write identity/group-alias canonical_id=$italiansGroupID mount_accessor=$accessor name=Italians | |
# Get another token and read the secrets | |
token=$(vault write -field token auth/ldap/login/tesla password=password) | |
vault token-lookup $token | |
VAULT_TOKEN=$token vault read secret/path1 | |
VAULT_TOKEN=$token vault read secret/path2 | |
VAULT_TOKEN=$token vault read secret/path3 | |
VAULT_TOKEN=$token vault read secret/path4 | |
vault read -format json identity/group/id/$italiansGroupID | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment