Last active
September 7, 2020 13:08
-
-
Save vishalnayak/947657e39eb1a5d2055b6513a021533b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| read -rsn1; clear; echo -e "\nHello all! Let's talk about Vault today\n"; | |
| read -rsn1; clear; echo -e "\n\n | |
| - Vault solves many problems. But lets talk secret sprawl today | |
| - Secrets are spread everywhere (code, config, VCS) | |
| - Its hard to reason about who had accessed what | |
| - Which secrets were actually used? | |
| - If the infrastructure is compromised, it gets difficult to guage the attack surface which makes it even more harder to execute any break glass procedures. | |
| " | |
| read -rsn1; clear; echo -e "\n\n | |
| Basic Features: | |
| - Centralized Protected Storage | |
| - API driven (automation) | |
| - Dynamic Secrets | |
| - Leasing, Renewals and Revocation | |
| - Auditing | |
| - ACLs | |
| " | |
| read -rsn1; clear; echo -e "\n\n | |
| Vault Architecture | |
| - Core | |
| - Backends: Audit, Auth, Secret, Storage | |
| - Shamir Secret Sharing | |
| " | |
| read -rsn1; clear; echo -e "\n\n | |
| What else can Vault do? | |
| There's also | |
| - Multi-Factor Authentication | |
| - High Availability | |
| - Performance Replication | |
| - Disaster Recovery Replication | |
| - Super cool UI | |
| - Seal Wrapping | |
| - Auto-Unsealing | |
| - Plugin System | |
| - HSM integration | |
| - Control Groups | |
| - Sentinel Integration | |
| and more and more and more and more! | |
| " | |
| read -rsn1; clear; echo -e "\n\n | |
| Today's Agenda: | |
| - Initializing and Unsealing Vault | |
| - Enabling Auditing | |
| - Writing a policy | |
| - KV store | |
| - Transit Backend | |
| - LDAP Auth | |
| - PKI backend | |
| " | |
| read -rsn1; clear; echo -e "\nLet's start a vault server\n"; echo -e "\n\$vault server -config vault.hcl -log-level debug\n";read -rsn1 | |
| ####### Initialize ####### | |
| read -rsn1; clear; echo -e "\nInitialize Vault\n"; echo -e "\n\$vault operator init -format json -key-shares 1 -key-threshold 1\n"; read -rsn1 | |
| initResult=$(vault operator init -format json -key-shares 1 -key-threshold 1) | |
| echo $initResult | jq | |
| unsealKey=$(echo -n $initResult | jq -r '.unseal_keys_b64[0]') | |
| rootToken=$(echo -n $initResult | jq -r '.root_token') | |
| # Store the unseal key and the root token for future use | |
| echo -n $unsealKey > unsealKey | |
| echo -n $rootToken > rootToken | |
| read -rsn1; clear; echo -e "\nUnseal Vault\n"; echo -e "\n\$vault operator unseal "$(cat unsealKey)"\n"; read -rsn1 | |
| vault operator unseal `cat unsealKey` | |
| read -rsn1; clear; echo -e "\nEnable the CLI to operate on Vault\n";echo -e "\n\$vault login "$(cat rootToken)"\n"; read -rsn1 | |
| vault login `cat rootToken` | |
| ####### End of Initialize ####### | |
| ####### Enable Audit ####### | |
| read -rsn1; clear; echo -e "\nEnable auditing to a file\n"; echo -e "\n\$vault audit enable file file_path=vault_audit.log\n"; read -rsn1 | |
| vault audit enable file file_path=vault_audit.log | |
| ####### End of Enable Audit ####### | |
| ####### Secret creation and reading using policy ####### | |
| read -rsn1; clear; echo -e "\nLet's create a secret\n"; echo -e "\n\$vault write secret/foo hello=hashi-standup-folks\n";read -rsn1 | |
| vault write secret/foo hello=hashi-standup-folks | |
| read -rsn1; clear; echo -e "\nLet's create another secret\n"; echo -e "\n\$vault write secret/bar this=should-not-be-accessed\n"; read -rsn1 | |
| vault write secret/bar this=should-not-be-accessed | |
| read -rsn1; clear; echo -e "\nCreate a policy to access a secret: policy.hcl\n"; read -rsn1 | |
| cat > policy.hcl << EOF | |
| path "secret/foo" { | |
| capabilities = ["create", "read", "update", "delete", "list"] | |
| } | |
| EOF | |
| echo $(cat policy.hcl) | |
| read -rsn1; clear; echo -e "\nUpload the policy file into Vault\n"; echo -e "\n\$vault policy write secret-reading-policy policy.hcl\n"; read -rsn1 | |
| vault policy write secret-reading-policy policy.hcl | |
| read -rsn1; clear; echo -e "\nCreating a token\n"; echo -e "\n\$vault token create -format json -ttl 5m -policy secret-reading-policy\n"; read -rsn1 | |
| vault token create -format json -ttl 5m -policy secret-reading-policy > clientToken | |
| echo $(cat clientToken) | jq | |
| clientToken=$(cat clientToken | jq -r .auth.client_token) | |
| read -rsn1; clear; echo -e "\nRead the secret using the token that we created\n"; echo -e "\n\$VAULT_TOKEN=$clientToken vault read secret/foo\n"; read -rsn1 | |
| VAULT_TOKEN=$clientToken vault read secret/foo | |
| read -rsn1; clear; echo -e "\nTry reading something which you don't have access to\n"; echo -e "\n\$VAULT_TOKEN=$clientToken vault read secret/bar\n"; read -rsn1 | |
| VAULT_TOKEN=$clientToken vault read secret/bar | |
| read -rsn1; clear; echo -e "\nTry reading something that doesn't exist\n"; echo -e "\n\$VAULT_TOKEN=$clientToken vault read secret/baz\n"; read -rsn1 | |
| VAULT_TOKEN=$clientToken vault read secret/baz | |
| ####### End of Secret creation and reading using policy ####### | |
| ####### Encryption as a service: Transit ####### | |
| read -rsn1; clear; echo -e "\nEncryption as a service: Transit\n"; echo -e "\n\$vault secrets enable transit\n"; read -rsn1 | |
| vault secrets enable transit | |
| read -rsn1; clear; echo -e "\nCreate a named key in transit\n"; echo -e "\n\$vault write transit/keys/my-key type=aes256-gcm96\n"; read -rsn1 | |
| vault write transit/keys/my-key type=aes256-gcm96 | |
| read -rsn1; clear; echo -e "\nPerform encryption using the named key\n";echo -e "\n\$vault write -format json transit/encrypt/my-key plaintext=$(base64 <<< "my secret data")\n"; read -rsn1 | |
| encryptResult=$(vault write -format json transit/encrypt/my-key plaintext=$(base64 <<< "my secret data")) | |
| echo $encryptResult | jq | |
| cipherText=$(echo -n $encryptResult | jq -r .data.ciphertext) | |
| read -rsn1; clear; echo -e "\nPerform decryption using the named key\n"; echo -e "\n\$vault write -format json transit/decrypt/my-key ciphertext=$cipherText\n"; read -rsn1 | |
| decryptResult=$(vault write -format json transit/decrypt/my-key ciphertext=$cipherText) | |
| echo $decryptResult | jq | |
| plaintextB64=$(echo -n $decryptResult | jq -r .data.plaintext) | |
| read -rsn1; clear; echo -e "\nDecode the base64ed response to get the plaintext\n";echo -e "\necho -n $plaintextB64 | base64 -D\n"; read -rsn1 | |
| echo -n $plaintextB64 | base64 -D | |
| ####### End of Encryption as a service: Transit ####### | |
| ####### LDAP Auth ####### | |
| read -rsn1; clear; echo -e "\nEnable LDAP auth\n"; echo -e "\n\$vault auth enable ldap\n" ;read -rsn1 | |
| vault auth enable ldap | |
| read -rsn1; clear; echo -e "\nCreate LDAP configuration file\n"; read -rsn1 | |
| cat > ldapConfig -<<EOF | |
| { | |
| "url": "ldap://ldap.forumsys.com", | |
| "userattr": "uid", | |
| "userdn": "dc=example,dc=com", | |
| "groupdn": "dc=example,dc=com", | |
| "binddn": "cn=read-only-admin,dc=example,dc=com" | |
| } | |
| EOF | |
| echo $(cat ldapConfig) | jq | |
| read -rsn1; clear; echo -e "\nRegister the configuration in the backend\n"; echo -e "\n\$vault write auth/ldap/config @ldapConfig\n"; read -rsn1 | |
| vault write auth/ldap/config @ldapConfig | |
| read -rsn1; clear; echo -e "\nRegister a group to be able to assign a policy to the LDAP user\n"; echo -e "\n\$vault write auth/ldap/groups/testgroup policies=testgroup-policy\n"; read -rsn1 | |
| vault write auth/ldap/groups/testgroup policies=testgroup-policy | |
| read -rsn1; clear; echo -e "\nRegister a user in the backend with the group information tied\n"; echo -e "\n\$vault write auth/ldap/users/tesla policies=default groups=testgroup\n"; read -rsn1 | |
| vault write auth/ldap/users/tesla policies=default groups=testgroup | |
| read -rsn1; clear; echo -e "\nPerform a login to get the token\n"; echo -e "\n\$vault write -format json auth/ldap/login/tesla password=password\n"; read -rsn1 | |
| vault write -format json auth/ldap/login/tesla password=password | jq | |
| ####### End of LDAP Auth ####### | |
| ####### Approle Auth ####### | |
| #read -rsn1; clear; echo -e "\nEnable AppRole Auth\n"; echo -e "\n\$vault auth enable approle\n"; read -rsn1 | |
| #vault auth enable approle | |
| #read -rsn1; clear; echo -e "\nCreate a role with desired properties\n"; echo -e "\n\$vault write auth/approle/role/role1 bind_secret_id=true period=60 policies=approle_policy\n"; read -rsn1 | |
| #vault write auth/approle/role/role1 bind_secret_id=true period=60 policies=approle_policy | |
| #read -rsn1; clear; echo -e "\nRead out the secret ID\n"; echo -e "\n\$vault write -format json -f auth/approle/role/role1/secret-id\n"; read -rsn1 | |
| #secretIDResult=$(vault write -format json -f auth/approle/role/role1/secret-id) | |
| #echo $secretIDResult | jq | |
| #secretID=$(echo -n $secretIDResult | jq -r '.data.secret_id') | |
| #read -rsn1; clear; echo -e "\nRead out the role ID\n"; echo -e "\n\$vault read -format json auth/approle/role1/role-id\n"; read -rsn1 | |
| #roleIDResult=$(vault read -format json auth/approle/role/role1/role-id) | |
| #echo $roleIDResult | jq | |
| #roleID=$(echo -n $roleIDResult | jq -r '.data.role_id') | |
| #read -rsn1; clear; echo -e "\nLogin and create an AppRole token\n"; echo -e "\n\$vault write auth/approle/login role_id=$roleID secret_id=$secretID\n"; read -rsn1 | |
| #vault write auth/approle/login role_id=$roleID secret_id=$secretID | |
| ####### End of Approle Auth ####### | |
| ####### Vault Secret Backend: pki ####### | |
| read -rsn1; clear; echo -e "\nEnable PKI backend\n"; echo -e "\n\$vault secrets enable pki\n"; read -rsn1 | |
| vault secrets enable pki | |
| read -rsn1; clear; echo -e "\nIncrease the expiry of the CA\n"; echo -e "\n\$vault secrets tune -max-lease-ttl=87600h\n"; read -rsn1 | |
| vault secrets tune -max-lease-ttl=87600h pki | |
| read -rsn1; clear; echo -e "\nGenerate an internal CA which doesn't export the private key\n"; echo -e "\n\$vault write pki/root/generate/internal common_name=myvault.com ttl=87600h ip_sans=127.0.0.1\n"; read -rsn1 | |
| vault write pki/root/generate/internal common_name=myvault.com ttl=87600h ip_sans=127.0.0.1 | |
| read -rsn1; clear; echo -e "\nGenerate a role to control the properties of certificate issuance\n"; echo -e "\n\$vault write pki/roles/myvault-dot-com require_cn=false allowed_domains=myvault.com allow_subdomains=true max_ttl=72h generate_lease=true\n"; read -rsn1 | |
| vault write pki/roles/myvault-dot-com require_cn=false allowed_domains="myvault.com" allow_subdomains="true" max_ttl="72h" generate_lease="true" | |
| read -rsn1; clear; echo -e "\nIssue a certificate\n"; echo -e "vault write pki/issue/myvault-dot-com format=pem ip_sans=127.0.0.1"; read -rsn1 | |
| vault write pki/issue/myvault-dot-com format=pem ip_sans=127.0.0.1 | |
| ####### End of Vault Secret Backend: pki ####### | |
| ####### End ####### | |
| read -rsn1; clear; echo -e "\nCheck audit trail!\n"; read -rsn1 | |
| read -rsn1; clear; echo -e "\nThank you!\n"; read -rsn1 | |
| ####### Exiting the script ####### | |
| exit 0 | |
| ####### End of Existing the script ####### | |
| ####### Response Wrapping ####### | |
| read -rsn1; clear; echo -e "\nResponse Wrapping\n"; echo -e "\n\$vault token create -format json -ttl 5m -policy default -wrap-ttl 2m\n"; read -rsn1 | |
| wrappingResult=$(vault token create -format json -ttl 5m -policy default -wrap-ttl 2m) | |
| echo $wrappingResult | jq | |
| wrappingToken=$(echo -n $wrappingResult | jq -r .wrap_info.token) | |
| read -rsn1; clear; echo -e "\nUnwrap the wrapping token to see the underlying data\n"; echo -e "\n\$vault write sys/wrapping/unwrap token=$wrappingToken\n"; read -rsn1 | |
| vault write sys/wrapping/unwrap token=$wrappingToken | |
| read -rsn1; clear; echo -e "\nWrapping is applicable across Vault's API and not just for tokens\n"; echo -e "\n\$vault write -format json -wrap-ttl 2m auth/ldap/login/tesla password=password\n"; read -rsn1 | |
| wrappingResult=$(vault write -format json -wrap-ttl 2m auth/ldap/login/tesla password=password) | |
| echo $wrappingResult | jq | |
| wrappingToken=$(echo -n $wrappingResult | jq -r .wrap_info.token) | |
| read -rsn1; clear; echo -e "\nUnwrap the wrapping token to see the underlying data\n"; echo -e "\n\$vault write sys/wrapping/unwrap token=$wrappingToken\n"; read -rsn1 | |
| vault write sys/wrapping/unwrap token=$wrappingToken | |
| ####### End of Response Wrapping ####### | |
| ####### TOTP ####### | |
| read -rsn1; clear; echo -e "\nTime-based One Time Passwords from Vault\n"; echo -e "\n\$vault secrets enable totp\n"; read -rsn1 | |
| vault secrets enable totp | |
| read -rsn1; clear; echo -e "\nGenerate a key\n"; echo -e "\n\$vault write totp/keys/my-totp account_name-hashicorp issuer=vault generate=true\n"; read -rsn1 | |
| vault write totp/keys/my-totp account_name=hashicorp issuer=vault generate=true | |
| read -rsn1; clear; echo -e "\nUse API to generate a TOTP code\n"; echo -e "\n\$vault read totp/code/my-totp\n"; read -rsn1 | |
| vault read totp/code/my-totp | |
| ####### End of TOTP ####### | |
| ####### Identity ####### | |
| read -rsn1; clear; echo -e "\nIdentity: Create a user in userpass\n"; echo -e "vault write auth/userpass/users/testuser password=testpassword policy=userpass-policy"; read -rsn1 | |
| vault write auth/userpass/users/testuser password=testpassword policy=userpass-policy | |
| read -rsn1; clear; echo -e "\nCreate an entity\n"; echo -e "\n\$vault write -f -format json identity/entity\n"; read -rsn1 | |
| entityResult=$(vault write -f -format json identity/entity) | |
| echo $entityResult | jq | |
| entityID=$(echo -n $entityResult | jq -r .data.id) | |
| read -rsn1; clear; echo -e "\nFetch the mount accessor of userpass auth method\n"; echo -e "\n\$vault auth list -detailed -format json | jq -r .[userpass/].accessor\n"; read -rsn1 | |
| userPassAccessor=$(vault auth list -detailed -format json | jq -r '.["userpass/"].accessor') | |
| echo $userPassAccessor | |
| read -rsn1; clear; echo -e "\nRegister an alias for the entity\n"; echo -e "\n\$vault write identity/entity-alias name=testuser mount_accessor=$userPassAccessor canonical_id=$entityID\n"; read -rsn1 | |
| vault write identity/entity-alias name=testuser mount_accessor=$userPassAccessor canonical_id=$entityID | |
| read -rsn1; clear; echo -e "\nPerform a login\n"; echo -e "\n\$vault write -format json auth/userpass/login/testuser password=testpassword\n"; read -rsn1 | |
| loginResult=$(vault write -format json auth/userpass/login/testuser password=testpassword) | |
| echo $loginResult | jq | |
| clientToken=$(echo -n $loginResult | jq -r .auth.client_token) | |
| read -rsn1; clear; echo -e "\nNotice the entity ID being populated in the token lookup\n"; echo -e "\n\$vault token lookup -format json $clientToken\n"; read -rsn1 | |
| vault token lookup -format json $clientToken | jq | |
| ####### End of Identity ####### | |
| ####### Identity MFA ####### | |
| read -rsn1; clear; echo -e "\nMulti-Factor Authentication\n\nRegister a MFA method in Vault\n"; echo -e "\n\$vault write sys/mfa/method/totp/my_totp issuer=vault\n"; read -rsn1 | |
| vault write sys/mfa/method/totp/my_totp issuer=Vault | |
| read -rsn1; clear; echo -e "\nCreate a policy that requires an MFA\n" | |
| cat > totp-policy.hcl << EOF | |
| path "auth/token/create" { | |
| capabilities = ["create", "update"] | |
| mfa_methods = ["my_totp"] | |
| } | |
| EOF | |
| echo $(cat totp-policy.hcl) | |
| read -rsn1; clear; echo -e "\nUpload the TOTP policy\n"; echo -e "\n\$vault policy write totp-policy totp-policy.hcl\n"; read -rsn1 | |
| vault policy write totp-policy totp-policy.hcl | |
| read -rsn1; clear; echo -e "\nUpdate the userpass user to get the TOTP policy upon login\n"; echo -e "\n\$vault write auth/userpass/users/testuser password=testpassword policies=totp-policy\n"; read -rsn1 | |
| vault write auth/userpass/users/testuser password=testpassword policies=totp-policy | |
| read -rsn1; clear; echo -e "\nPerform the login\n"; echo -e "\n\$vault write -format json auth/userpass/login/testuser password=testpassword\n"; read -rsn1 | |
| loginResult=$(vault write -format json auth/userpass/login/testuser password=testpassword) | |
| echo $loginResult | jq | |
| clientToken=$(echo -n $loginResult | jq -r .auth.client_token) | |
| entityID=$(vault token lookup -format json $clientToken | jq -r '.data.entity_id') | |
| read -rsn1; clear; echo -e "\nGenerate a URL for the TOTP MFA method\n"; echo -e "\n\$vault write -format json sys/mfa/method/totp/my_totp/admin-generate entity_id=$entityID\n"; read -rsn1 | |
| generateResult=$(vault write -format json sys/mfa/method/totp/my_totp/admin-generate entity_id=$entityID) | |
| echo $generateResult | jq | |
| url=$(echo -n $generateResult | jq -r .data.url) | |
| read -rsn1; clear; echo -e "\nRegister the URL with the TOTP backend to generate a code\n"; echo -e "\n\$vault write totp/keys/my_totp url=$url\n"; read -rsn1 | |
| vault write totp/keys/my_totp url=$url | |
| read -rsn1; clear; echo -e "\nGenerate TOTP code for MFA auth\n"; echo -e "\n\$vault read -format json totp/code/my_totp | jq -r '.data.code'\n"; read -rsn1 | |
| totpCode=$(vault read -format json totp/code/my_totp | jq -r '.data.code') | |
| echo $totpCode | |
| read -rsn1; clear; echo -e "\nTry to access the API without the TOTP code; This should fail\n"; echo -e "\n\$VAULT_TOKEN=$clientToken vault write -f auth/token/create\n"; read -rsn1 | |
| VAULT_TOKEN=$clientToken vault write -f auth/token/create | |
| read -rsn1; echo -e "\nSupply the TOTP code with the request\n"; echo -e "\n\$VAULT_TOKEN=$clientToken vault write -f -mfa my_totp:$totpCode auth/token/create\n"; read -rsn1 | |
| VAULT_TOKEN=$clientToken vault write -f -mfa my_totp:$totpCode auth/token/create | |
| ####### End of Identity MFA ####### | |
| ####### Userpass Auth ####### | |
| read -rsn1; clear; echo -e "\nEnble userpass backend\n"; echo -e "\n\$vault auth enable userpass\n"; read -rsn1 | |
| vault auth enable userpass | |
| read -rsn1; clear; echo -e "\nRegister a user in the backend with the desired policy\n"; echo -e "\n\$vault write auth/userpass/users/hashi password=corp policies=userpass-policy\n"; read -rsn1 | |
| vault write auth/userpass/users/hashi password=corp policies=userpass-policy | |
| read -rsn1; clear; echo -e "\nPerform a login to get a token\n"; echo -e "\n\$vault write auth/userpass/login/hashi password=corp\n"; read -rsn1 | |
| vault write auth/userpass/login/hashi password=corp | |
| ####### End of Userpass Auth ####### |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment