kris/puppet-acme_vault
1
0
Fork 0
mirror of https://github.com/krislamo/puppet-acme_vault synced 2024-11-09 20:30:36 +00:00
Code Issues Releases Wiki Activity

add vault_policy.sh

Browse Source
This commit is contained in:
Bob Belnap 2018-03-01 14:09:23 -05:00
parent eb4bf65d8d
commit a4bdbb2363
2 changed files with 34 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -108,7 +108,9 @@ REQUIRED
#### `vault_token` #### `vault_token`
Vault token for authenticating to vault. This should have appropriate permissions applied in vault. A demo script is provided Vault token for authenticating to vault. This should have appropriate
permissions applied in vault. A demo script is provided
[here](vault_policy.sh)
REQUIRED REQUIRED

31
vault_policy.sh Normal file
View File

@ -0,0 +1,31 @@
#!/bin/bash
# this script sets up policies in vault to support reading and writing certs.
# Comments at the bottom provide examples for how to create tokens using these
# policies, to be distributed to machines.
cert_read='
path "secret/letsencrypt/*" {
capabilities = ["read"]
}
'
cert_write='
path "secret/letsencrypt/*" {
capabilities = ["create", "update", "read"]
}
path "secret/dns_api/token" {
capabilities = ["read"]
}
'
vault write sys/policy/cert_read policy=@<(echo $cert_read)
vault write sys/policy/cert_write policy=@<(echo $cert_write)
# create periodic tokens:
# these tokens have a period of 20 days, they will expire if not renewed.
# vault token create -policy=cert_write -period=1728000 -metadata="host=testbox"
# vault token create -policy=cert_read -period=1728000 -metadata="host=testbox"
# secret for dns api
# vault write secret/dns_api/token value=$(cat)