add vault_policy.sh

2025-01-18 07:30:34 +00:00 · 2018-03-01 14:09:23 -05:00 · 2018-03-01 14:09:23 -05:00 · a4bdbb2363
commit a4bdbb2363
parent eb4bf65d8d
2 changed files with 34 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -108,7 +108,9 @@ REQUIRED

 #### `vault_token`

-Vault token for authenticating to vault.  This should have appropriate permissions applied in vault.  A demo script is provided 
+Vault token for authenticating to vault.  This should have appropriate
+permissions applied in vault.  A demo script is provided
+[here](vault_policy.sh)

 REQUIRED

--- a/vault_policy.sh
+++ b/vault_policy.sh
@ -0,0 +1,31 @@
+#!/bin/bash
+
+# this script sets up policies in vault to support reading and writing certs.
+# Comments at the bottom provide examples for how to create tokens using these
+# policies, to be distributed to machines.
+
+cert_read='
+path "secret/letsencrypt/*" {
+  capabilities = ["read"]
+}
+'
+
+cert_write='
+path "secret/letsencrypt/*" {
+  capabilities = ["create", "update", "read"]
+}
+path "secret/dns_api/token" {
+  capabilities = ["read"]
+}
+'
+vault write sys/policy/cert_read policy=@<(echo $cert_read)
+vault write sys/policy/cert_write policy=@<(echo $cert_write)
+
+# create periodic tokens:
+# these tokens have a period of 20 days, they will expire if not renewed.
+
+# vault token create -policy=cert_write -period=1728000 -metadata="host=testbox"
+# vault token create -policy=cert_read -period=1728000 -metadata="host=testbox"
+
+# secret for dns api
+# vault write secret/dns_api/token value=$(cat)