Skip to content

Instantly share code, notes, and snippets.

@zalary

zalary/plus_policy.sh

Created April 6, 2020 15:19
Show Gist options
  • Save zalary/3d7d7de52171f74b61d805d84712a198 to your computer and use it in GitHub Desktop.
Save zalary/3d7d7de52171f74b61d805d84712a198 to your computer and use it in GitHub Desktop.
Download ZIP
using a + in a policy path
Raw
plus_policy.sh
#!/bin/bash
set -aex
pkill -9 vault || true
sleep 2s
tee /tmp/config.hcl <<EOF
storage "inmem" {}
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = "true"
}
api_addr = "http://127.0.0.1:8200"
pid_file = "/tmp/vault.pid"
EOF
vault server -config /tmp/config.hcl > /tmp/config.log 2>&1 &
while ! nc -w 1 localhost 8200 </dev/null; do sleep 1; done
export VAULT_ADDR='http://127.0.0.1:8200'
initResponse=$(vault operator init -format=json -key-shares 1 -key-threshold 1)
unsealKey=$(echo $initResponse | jq -r '.unseal_keys_b64[0]')
rootToken=$(echo $initResponse| jq -r '.root_token')
vault operator unseal $unsealKey
sleep 3s
vault login $rootToken
vault policy write namedPath -<<EOF
# Allow devs to see the apps tree
path "apps/*" {
capabilities = ["list"]
}
# Allow devs to read any apps/ secret
path "apps/data/*" {
capabilities = [ "read", "list" ]
}
# Allow devs to make changes to their secrets key
path "apps/data/test/subfolder/secrets" {
capabilities = ["create", "read", "update", "delete", "list"]
}
# Allow devs to make changes to their secrets trees
path "apps/data/test/subfolder/secrets/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
EOF
vault policy write plusPath -<<EOF
# Allow devs to see the apps tree
path "apps/*" {
capabilities = ["list"]
}
# Allow devs to read any apps/ secret
path "apps/data/*" {
capabilities = ["read", "list"]
}
# Allow devs to list data under the apps/ tree
path "apps/metadata/*" {
capabilities = ["list", "read"]
}
# Allow devs to make changes to their secrets key
path "apps/data/+/+/secrets" {
capabilities = ["create", "read", "update", "delete", "list"]
}
# Allow devs to make changes to their secrets trees
path "apps/data/+/+/secrets/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
EOF
vault secrets enable -path=apps kv-v2
vault auth enable userpass
# create the users
vault write auth/userpass/users/plus-dev password="dev" policies="plusPath"
vault write auth/userpass/users/named-dev password="dev" policies="namedPath"
# login as the user
namedToken=$(vault write -format json auth/userpass/login/named-dev password=dev | jq -r '.auth.client_token')
# write a secret
VAULT_TOKEN=$namedToken vault kv put apps/test/subfolder/secrets/dev dev_secret="i googled most of this"
# read the secret
VAULT_TOKEN=$namedToken vault kv get apps/test/subfolder/secrets/dev
# login as the user
plusToken=$(vault write -format json auth/userpass/login/plus-dev password=dev | jq -r '.auth.client_token')
# read existing secret
VAULT_TOKEN=$plusToken vault kv get apps/test/subfolder/secrets/dev
# expect writing a secret will also work
VAULT_TOKEN=$plusToken vault kv put apps/test/subfolder/secrets/foo test_secret="foobar"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment