kris/puppet-acme_vault
1
0
Fork 0
mirror of https://github.com/krislamo/puppet-acme_vault synced 2024-09-19 20:40:36 +00:00
Code Issues Releases Wiki Activity
c437a6b065
puppet-acme_vault/vault_policy.sh
Bob Belnap a4bdbb2363 add vault_policy.sh
2018-03-01 14:09:23 -05:00

32 lines
893 B
Bash
Raw Blame History

#!/bin/bash
# this script sets up policies in vault to support reading and writing certs.
# Comments at the bottom provide examples for how to create tokens using these
# policies, to be distributed to machines.
cert_read='
path "secret/letsencrypt/*" {
capabilities = ["read"]
}
'
cert_write='
path "secret/letsencrypt/*" {
capabilities = ["create", "update", "read"]
}
path "secret/dns_api/token" {
capabilities = ["read"]
}
'
vault write sys/policy/cert_read policy=@<(echo $cert_read)
vault write sys/policy/cert_write policy=@<(echo $cert_write)
# create periodic tokens:
# these tokens have a period of 20 days, they will expire if not renewed.
# vault token create -policy=cert_write -period=1728000 -metadata="host=testbox"
# vault token create -policy=cert_read -period=1728000 -metadata="host=testbox"
# secret for dns api
# vault write secret/dns_api/token value=$(cat)
Reference in New Issue View Git Blame Copy Permalink