Skip to content

Instantly share code, notes, and snippets.

@greenbrian
Created April 5, 2019 13:25
Show Gist options
  • Save greenbrian/5be10eb2c978a153a52caa9fadbc3b9c to your computer and use it in GitHub Desktop.
Save greenbrian/5be10eb2c978a153a52caa9fadbc3b9c to your computer and use it in GitHub Desktop.
Vault CLI testing AppRole
#!/bin/bash
# start vault
VAULT_UI=true vault server -dev -dev-root-token-id=root -dev-listen-address=127.0.0.1:8200
# login as root - DO NOT DO THIS IN PRODUCTION
vault login root
# write some secrets
vault kv put secret/test color=blue number=eleventeen
# create policy
echo 'path "secret/*" {
capabilities = ["list", "read"]
}' | vault policy write test -
# enable approle
vault auth enable approle
# configure approle role named "testrole"
vault write auth/approle/role/testrole \
secret_id_bound_cidrs="0.0.0.0/0","127.0.0.1/32" \
secret_id_ttl=60m \
secret_id_num_uses=5 \
enable_local_secret_ids=false \
token_bound_cidrs="0.0.0.0/0","127.0.0.1/32" \
token_num_uses=10 \
token_ttl=1h \
token_max_ttl=3h \
token_type=default \
period="" \
policies="default","test"
# Read role-id
vault read auth/approle/role/testrole/role-id
ROLE_ID=$(vault read -format=json auth/approle/role/testrole/role-id | jq -r '.data.role_id')
# generate secret-id
vault write -f auth/approle/role/testrole/secret-id
SECRET_ID=$(vault write -f -format=json auth/approle/role/testrole/secret-id | jq -r '.data.secret_id')
# login with role-id + secret-id
vault write auth/approle/login \
role_id=b07678e8-f924-13fb-bf5f-d9dec506ae27 \
secret_id=5f59f3ca-919f-1b05-7e42-347d058bbbb4
# test resulting token
vault login s.KotUq5erUijZImTgF5m80WgY
# read secrets
vault kv get secret/test
# approle push test
vault login root
vault write auth/approle/role/testrole/custom-secret-id secret_id=asdfasdf
# login with custom secret_id
vault write auth/approle/login role_id=b07678e8-f924-13fb-bf5f-d9dec506ae27 secret_id=asdfasdf
# test resulting token
vault login s.UsW8hcCNLKqkPosk0vcClf4c
vault kv get secret/test
# create token scoped that only allows retrieval of secret-id
echo 'path "auth/approle/role/testrole/secret-id" {
capabilities = ["create","update"]
}' | vault policy write orchestrator -
vault token create -period="8h" -orphan -policy=orchestrator
# login with new token
vault login s.A0PvsYPhvxTTbtqIm8uKFVyK
# fetch secret-id
vault write -f auth/approle/role/testrole/secret-id
# TEST FAILURES
vault token create -period="8h" -orphan -policy=orchestrator
vault read auth/approle/role/testrole/role-id
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment