vishalnayak/identity_templating.sh

## identity_templating.sh
#!/bin/bash

set -aex

pkill -9 vault || vault

# Set up transit node
tee /tmp/config.hcl <<EOF
storage "inmem" {}
listener "tcp" {
  address = "127.0.0.1:8200"
  tls_disable = true
}
api_addr="http://127.0.0.1:8200"
EOF

vault server -log-level=trace -config /tmp/config.hcl > /tmp/config.log 2>&1 &
while ! nc -w 1 localhost 8200 </dev/null; do sleep 1; done

initResponse=$(vault operator init -format=json -key-shares 1 -key-threshold 1)
unsealKey=$(echo $initResponse | jq -r '.unseal_keys_b64[0]')
rootToken=$(echo $initResponse| jq -r '.root_token')

vault operator unseal $unsealKey
vault login $rootToken

vault auth enable userpass
mountAccessor=$(vault read -format json sys/auth | jq -r '.data."userpass/".accessor')

cat > /tmp/identityTemplate.hcl <<EOF
path "identity/entity-alias/id/{{identity.entity.aliases.$mountAccessor.id}}"
{
  capabilities = ["read"]
}
EOF

vault policy write identityTemplate /tmp/identityTemplate.hcl
vault write auth/userpass/users/foo password=bar policies=identityTemplate
token=$(vault write -format json auth/userpass/login/foo password=bar | jq -r '.auth.client_token')

entityID=$(VAULT_TOKEN=$token vault token lookup -format json | jq -r '.data.entity_id')
aliasID=$(VAULT_TOKEN=$token vault read -format json identity/entity/id/$entityID | jq -r '.data.aliases[0].id')
VAULT_TOKEN=$token vault read -format json identity/entity-alias/id/$aliasID
	#!/bin/bash

	set -aex

	pkill -9 vault \|\| vault

	# Set up transit node
	tee /tmp/config.hcl <<EOF
	storage "inmem" {}
	listener "tcp" {
	address = "127.0.0.1:8200"
	tls_disable = true
	}
	api_addr="http://127.0.0.1:8200"
	EOF

	vault server -log-level=trace -config /tmp/config.hcl > /tmp/config.log 2>&1 &
	while ! nc -w 1 localhost 8200 </dev/null; do sleep 1; done

	initResponse=$(vault operator init -format=json -key-shares 1 -key-threshold 1)
	unsealKey=$(echo $initResponse \| jq -r '.unseal_keys_b64[0]')
	rootToken=$(echo $initResponse\| jq -r '.root_token')

	vault operator unseal $unsealKey
	vault login $rootToken

	vault auth enable userpass
	mountAccessor=$(vault read -format json sys/auth \| jq -r '.data."userpass/".accessor')

	cat > /tmp/identityTemplate.hcl <<EOF
	path "identity/entity-alias/id/{{identity.entity.aliases.$mountAccessor.id}}"
	{
	capabilities = ["read"]
	}
	EOF

	vault policy write identityTemplate /tmp/identityTemplate.hcl
	vault write auth/userpass/users/foo password=bar policies=identityTemplate
	token=$(vault write -format json auth/userpass/login/foo password=bar \| jq -r '.auth.client_token')

	entityID=$(VAULT_TOKEN=$token vault token lookup -format json \| jq -r '.data.entity_id')
	aliasID=$(VAULT_TOKEN=$token vault read -format json identity/entity/id/$entityID \| jq -r '.data.aliases[0].id')
	VAULT_TOKEN=$token vault read -format json identity/entity-alias/id/$aliasID