vault-provision 0.1.8 → 0.1.9

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 2b899b07ba3632b5568363ad5dd4f0c446eb3c19
4
- data.tar.gz: b88d77a6a1fd6848022025963a9be18390afe997
3
+ metadata.gz: 0edcd40874242ad1c2e953a14261cb02ad1e0ef9
4
+ data.tar.gz: bfb7aff56d0bf2c7fe54c12c7d2601e84c43d6f9
5
5
  SHA512:
6
- metadata.gz: fe576f3c3c977abce9e97da0181d3fb948c057791f18b12c470cc1f82b61e3519af167389139eadf6ffea144cf1c98ffa11824dfe1606d3af9c040443f94e7c2
7
- data.tar.gz: 63b14e18917b623d5e448ed4524c887199a6757bafa9be2184a5309e070dc5eda386e63428d8f4ea666fbb87dbd8b7f3aa8fd0074616ede502bfc0d65e89e23e
6
+ metadata.gz: 68669b47d77cbd56423c1d105018bc01cb86351c118edbc728cfe65d58477d1656e315003e886df1f65aa1df016a04d33b5be17423556670f0810f3cd7228b09
7
+ data.tar.gz: 6d2810d47c3657ef12fd852929062ad89eead48d471a2293f1fbd481d568b3674df613ea922a36dd8ed55c704384b270ed6ce8276f9d3cc510d742ec62efbea6
data/.gitignore CHANGED
@@ -10,3 +10,4 @@ coverage
10
10
  todo
11
11
  *.gem
12
12
  vendor/ruby
13
+ log/*.log
data/.rubocop.yml CHANGED
@@ -1,2 +1,5 @@
1
1
  Style/ClassAndModuleChildren:
2
2
  EnforcedStyle: compact
3
+
4
+ Style/StringLiterals:
5
+ Enabled: false
data/Gemfile CHANGED
@@ -3,9 +3,17 @@ source 'https://rubygems.org'
3
3
  gemspec
4
4
 
5
5
  gem 'rake', '~>12.0'
6
- gem 'rspec', '~>3.5.0'
7
- gem 'rspec-core', '~>3.5.4'
8
6
 
9
7
  gem 'activesupport', '~>5.0.2'
10
8
  gem 'rhcl', '~>0.1.0'
11
9
  gem 'vault', '~>0.10'
10
+
11
+ group :development, :test do
12
+ gem 'aws-sdk', '~>2.10.3'
13
+ gem 'rspec', '~>3.6.0'
14
+ gem 'rspec-core', '~>3.6.0'
15
+ gem 'rubocop', '~>0.49.1'
16
+ gem 'rubocop-github', '~>0.5.0'
17
+ gem 'vcr', '~>3.0.3'
18
+ gem 'webmock', '~>3.0.1'
19
+ end
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- vault-provision (0.1.7)
4
+ vault-provision (0.1.8)
5
5
  activesupport (~> 5.0, >= 5.0.2)
6
6
  rhcl (~> 0.1.0)
7
7
  vault (~> 0.10)
@@ -14,43 +14,87 @@ GEM
14
14
  i18n (~> 0.7)
15
15
  minitest (~> 5.1)
16
16
  tzinfo (~> 1.1)
17
+ addressable (2.5.1)
18
+ public_suffix (~> 2.0, >= 2.0.2)
19
+ ast (2.3.0)
20
+ aws-sdk (2.10.3)
21
+ aws-sdk-resources (= 2.10.3)
22
+ aws-sdk-core (2.10.3)
23
+ aws-sigv4 (~> 1.0)
24
+ jmespath (~> 1.0)
25
+ aws-sdk-resources (2.10.3)
26
+ aws-sdk-core (= 2.10.3)
27
+ aws-sigv4 (1.0.0)
17
28
  concurrent-ruby (1.0.5)
29
+ crack (0.4.3)
30
+ safe_yaml (~> 1.0.0)
18
31
  deep_merge (1.1.1)
19
32
  diff-lcs (1.3)
33
+ hashdiff (0.3.4)
20
34
  i18n (0.8.4)
35
+ jmespath (1.3.1)
21
36
  minitest (5.10.2)
37
+ parallel (1.11.2)
38
+ parser (2.4.0.0)
39
+ ast (~> 2.2)
40
+ powerpack (0.1.1)
41
+ public_suffix (2.0.5)
42
+ rainbow (2.2.2)
43
+ rake
22
44
  rake (12.0.0)
23
45
  rhcl (0.1.0)
24
46
  deep_merge
25
- rspec (3.5.0)
26
- rspec-core (~> 3.5.0)
27
- rspec-expectations (~> 3.5.0)
28
- rspec-mocks (~> 3.5.0)
29
- rspec-core (3.5.4)
30
- rspec-support (~> 3.5.0)
31
- rspec-expectations (3.5.0)
47
+ rspec (3.6.0)
48
+ rspec-core (~> 3.6.0)
49
+ rspec-expectations (~> 3.6.0)
50
+ rspec-mocks (~> 3.6.0)
51
+ rspec-core (3.6.0)
52
+ rspec-support (~> 3.6.0)
53
+ rspec-expectations (3.6.0)
32
54
  diff-lcs (>= 1.2.0, < 2.0)
33
- rspec-support (~> 3.5.0)
34
- rspec-mocks (3.5.0)
55
+ rspec-support (~> 3.6.0)
56
+ rspec-mocks (3.6.0)
35
57
  diff-lcs (>= 1.2.0, < 2.0)
36
- rspec-support (~> 3.5.0)
37
- rspec-support (3.5.0)
58
+ rspec-support (~> 3.6.0)
59
+ rspec-support (3.6.0)
60
+ rubocop (0.49.1)
61
+ parallel (~> 1.10)
62
+ parser (>= 2.3.3.1, < 3.0)
63
+ powerpack (~> 0.1)
64
+ rainbow (>= 1.99.1, < 3.0)
65
+ ruby-progressbar (~> 1.7)
66
+ unicode-display_width (~> 1.0, >= 1.0.1)
67
+ rubocop-github (0.5.0)
68
+ rubocop (~> 0.49)
69
+ ruby-progressbar (1.8.1)
70
+ safe_yaml (1.0.4)
38
71
  thread_safe (0.3.6)
39
72
  tzinfo (1.2.3)
40
73
  thread_safe (~> 0.1)
74
+ unicode-display_width (1.3.0)
41
75
  vault (0.10.1)
76
+ vcr (3.0.3)
77
+ webmock (3.0.1)
78
+ addressable (>= 2.3.6)
79
+ crack (>= 0.3.2)
80
+ hashdiff
42
81
 
43
82
  PLATFORMS
44
83
  ruby
45
84
 
46
85
  DEPENDENCIES
47
86
  activesupport (~> 5.0.2)
87
+ aws-sdk (~> 2.10.3)
48
88
  rake (~> 12.0)
49
89
  rhcl (~> 0.1.0)
50
- rspec (~> 3.5.0)
51
- rspec-core (~> 3.5.4)
90
+ rspec (~> 3.6.0)
91
+ rspec-core (~> 3.6.0)
92
+ rubocop (~> 0.49.1)
93
+ rubocop-github (~> 0.5.0)
52
94
  vault (~> 0.10)
53
95
  vault-provision!
96
+ vcr (~> 3.0.3)
97
+ webmock (~> 3.0.1)
54
98
 
55
99
  BUNDLED WITH
56
100
  1.15.1
data/VERSION CHANGED
@@ -1 +1 @@
1
- 0.1.8
1
+ 0.1.9
@@ -0,0 +1,44 @@
1
+ #!/usr/bin/env ruby
2
+
3
+ require 'trollop'
4
+ require 'vault'
5
+ require 'vault_provision'
6
+
7
+ prog_name = File.basename $PROGRAM_NAME
8
+ opts = Trollop.options do
9
+ banner <<-EOS
10
+ Provision a Vault configuration
11
+
12
+ Usage:
13
+
14
+ $ export VAULT_ADDR='https://<my-vault-server:8200>'
15
+ $ export VAULT_TOKEN=<my-vault-root-token>
16
+ $ #{prog_name} --dir /path/to/provisioning-data
17
+ .
18
+ EOS
19
+ opt :dir,
20
+ 'Root directory of provisioning data. For example, ./bin/vault-provision --dir ./examples/basic',
21
+ type: :string
22
+ opt :destructive,
23
+ 'Regenerate the PKI CA keys (DANGEROUS)',
24
+ default: false
25
+ opt :addr,
26
+ 'vault address (overrides VAULT_ADDR)',
27
+ type: :string, default: ENV['VAULT_ADDR']
28
+ opt :token,
29
+ 'vault token (overrides VAULT_TOKEN)',
30
+ type: :string, default: ENV['VAULT_TOKEN']
31
+ end
32
+
33
+ Trollop.die :dir, "need a directory" if opts[:dir].nil?
34
+ Trollop.die :dir, "#{opts[:dir]} isn't a directory" unless FileTest.directory?(opts[:dir])
35
+
36
+ Trollop.die :addr, "need VAULT_ADDR set" unless opts[:addr]
37
+ Trollop.die :token, "need VAULT_TOKEN set" unless opts[:token]
38
+
39
+ signatories = {'pki-intermediate': 'pki-root'}
40
+ Vault::Provision.new(opts[:dir],
41
+ address: opts[:addr],
42
+ token: opts[:token],
43
+ intermediate_issuer: signatories,
44
+ pki_allow_destructive: opts[:destructive]).provision!
@@ -0,0 +1,3 @@
1
+ {
2
+ "arn": "arn:aws:iam::aws:policy/IAMFullAccess"
3
+ }
@@ -0,0 +1,15 @@
1
+ {
2
+ "Version": "2012-10-17",
3
+ "Statement": [
4
+ {
5
+ "Effect": "Allow",
6
+ "Action": [
7
+ "s3:*"
8
+ ],
9
+ "Resource": [
10
+ "arn:aws:s3:::my_bucket",
11
+ "arn:aws:s3:::my_bucket/*"
12
+ ]
13
+ }
14
+ ]
15
+ }
@@ -0,0 +1,8 @@
1
+ {
2
+ "config": {
3
+ "default_lease_ttl": "384h",
4
+ "max_lease_ttl": "768h"
5
+ },
6
+ "description": "AWS IAM Secrets as a Service (AISaaS)",
7
+ "type": "aws"
8
+ }
@@ -0,0 +1,74 @@
1
+ # AWS Secret backend, or, IAM credentials as a service
2
+ # https://www.vaultproject.io/docs/secrets/aws/index.html
3
+ class Vault::Provision::Aws::SecretBackend < Vault::Provision::Prototype
4
+ AWS_REGION_DEFAULT = 'us-east-1'.freeze
5
+
6
+ class Vault::Provision::Aws::SecretBackend::NoCredsError < RuntimeError
7
+ end
8
+
9
+ attr_accessor :access_key, :secret_key, :region
10
+
11
+ def provision!
12
+ provision_config_and_creds!
13
+ provision_roles!
14
+ end
15
+
16
+ def provision_config_and_creds!
17
+ return unless @aws_update_creds
18
+ mounts_by_type('aws').each do |mp|
19
+ mp_prefix = mp.to_s == 'aws' ? '' : "#{mp}_"
20
+
21
+ @access_key = ENV["#{mp_prefix}AWS_ACCESS_KEY_ID"]
22
+ @secret_key = ENV["#{mp_prefix}AWS_SECRET_ACCESS_KEY"]
23
+ @region = ENV["#{mp_prefix}AWS_REGION"] || AWS_REGION_DEFAULT
24
+
25
+ if @access_key.nil? || @secret_key.nil?
26
+ raise NoCredsError,
27
+ "set environment variables #{mp_prefix}AWS_ACCESS_KEY_ID) and #{mp_prefix}AWS_SECRET_ACCESS_KEY"
28
+ end
29
+
30
+ aws_config = JSON.dump(access_key: @access_key,
31
+ secret_key: @secret_key,
32
+ region: @region)
33
+
34
+ puts " * AWS secret mount point #{mp} config (INCLUDING SECRET)"
35
+ @vault.post "v1/#{mp}/config/root", aws_config
36
+
37
+ lease_config = "#{@instance_dir}/#{mp}/config/lease.json"
38
+ next unless FileTest.readable? lease_config
39
+
40
+ validate_file! lease_config
41
+ puts " * #{mp}/config/lease"
42
+ @vault.post "v1/#{mp}/config/lease", File.read(lease_config)
43
+ end
44
+ end
45
+
46
+ def normalize_role role_file_path
47
+ role_json = File.read(role_file_path)
48
+ role = JSON.parse(role_json)
49
+
50
+ if role['arn'] || role['policy']
51
+ role_json
52
+ elsif role['Version'] && role['Statement']
53
+ JSON.dump(policy: role_json)
54
+ end
55
+ end
56
+
57
+ def provision_roles!
58
+ mounts_by_type('aws').each do |mp|
59
+ next unless Dir.exist? "#{@instance_dir}/#{mp}"
60
+ puts " * AWS secret mount point #{mp} roles"
61
+
62
+ Find.find("#{@instance_dir}/#{mp}/roles").each do |rf|
63
+ next unless rf.end_with? '.json'
64
+ validate_file! rf
65
+ role_definition = normalize_role rf
66
+ next if role_definition.nil?
67
+ role_path = rf.sub(%r{\A#{@instance_dir}\/}, '').sub(/.json\z/, '')
68
+
69
+ puts " * #{role_path}"
70
+ @vault.post "v1/#{role_path}", role_definition
71
+ end
72
+ end
73
+ end
74
+ end
@@ -0,0 +1,3 @@
1
+ class Vault::Provision::Aws; end
2
+
3
+ require 'vault/provision/aws/secret-backend'
@@ -9,6 +9,7 @@ class Vault::Provision::Prototype
9
9
  @instance_dir = boss.instance_dir
10
10
  @intermediate_issuer = boss.intermediate_issuer
11
11
  @pki_allow_destructive = boss.pki_allow_destructive
12
+ @aws_update_creds = boss.aws_update_creds
12
13
  end
13
14
 
14
15
  def repo_prefix
@@ -24,12 +25,14 @@ class Vault::Provision::Prototype
24
25
  Find.find(repo_path).select { |rf| rf.end_with?('.json') }
25
26
  end
26
27
 
27
- def repo_files_by_mount_type type
28
+ def mounts_by_type type
28
29
  mounts = @vault.sys.mounts
29
- my_mounts = mounts.keys.select { |mp| mounts[mp].type == type }
30
+ mounts.keys.select { |mp| mounts[mp].type == type }
31
+ end
30
32
 
33
+ def repo_files_by_mount_type type
31
34
  files = []
32
- my_mounts.each do |mp|
35
+ mounts_by_type(type).each do |mp|
33
36
  next unless Dir.exist? "#{@instance_dir}/#{mp}"
34
37
  Find.find("#{@instance_dir}/#{mp}").each do |rf|
35
38
  next unless rf.end_with? '.json'
@@ -8,22 +8,26 @@ require 'vault/provision/auth'
8
8
  require 'vault/provision/sys'
9
9
  require 'vault/provision/pki'
10
10
  require 'vault/provision/secret'
11
+ require 'vault/provision/aws'
11
12
 
12
13
  # controller for the children
13
14
  class Vault::Provision
14
15
  SYSTEM_POLICIES = ['response-wrapping', 'root'].freeze
15
16
 
16
17
  attr_accessor :vault, :instance_dir,
17
- :intermediate_issuer, :pki_allow_destructive
18
+ :intermediate_issuer, :pki_allow_destructive,
19
+ :aws_update_creds
18
20
 
19
21
  def initialize instance_dir,
20
22
  address: ENV['VAULT_ADDR'],
21
23
  token: ENV['VAULT_TOKEN'],
24
+ aws_update_creds: false,
22
25
  intermediate_issuer: {},
23
26
  pki_allow_destructive: false
24
27
 
25
28
  @instance_dir = instance_dir
26
29
  @vault = Vault::Client.new address: address, token: token
30
+ @aws_update_creds = aws_update_creds
27
31
  @intermediate_issuer = intermediate_issuer
28
32
  @pki_allow_destructive = pki_allow_destructive
29
33
  @handlers = [
@@ -35,6 +39,7 @@ class Vault::Provision
35
39
  Pki::Config::Urls,
36
40
  Pki::Roles,
37
41
  Secret,
42
+ Aws::SecretBackend,
38
43
  Sys::Policy,
39
44
  Auth::Ldap::Groups,
40
45
  Auth::Approle
data/log/.keep ADDED
File without changes
data/spec/spec_helper.rb CHANGED
@@ -3,6 +3,8 @@ $: << "#{GEM_DIR}/lib"
3
3
 
4
4
  require 'vault_provision'
5
5
  require 'open3'
6
+ require 'aws-sdk'
7
+ require 'vcr'
6
8
 
7
9
  DEV_VAULT_TOKEN = 'kittens'.freeze
8
10
  DEV_VAULT_ADDR = 'http://127.0.0.1:8200'.freeze
@@ -17,6 +19,20 @@ Vault.configure do |config|
17
19
  config.token = DEV_VAULT_TOKEN
18
20
  end
19
21
 
22
+ VCR.configure do |config|
23
+ config.cassette_library_dir = "spec/vcr_cassettes"
24
+ config.debug_logger = File.open("log/vcr.log", 'w')
25
+ config.hook_into :webmock
26
+ config.allow_http_connections_when_no_cassette = true
27
+
28
+ config.filter_sensitive_data('<SOME_VAULT_TOKEN>') do |i|
29
+ i.request.headers['X-Vault-Token'].first unless i.request.headers['X-Vault-Token'].nil?
30
+ end
31
+ config.filter_sensitive_data('<SOME_AUTHZ_HEADER>') do |i|
32
+ i.request.headers['Authorization'].first unless i.request.headers['Authorization'].nil?
33
+ end
34
+ end
35
+
20
36
  def vault_server
21
37
  stdin, stdout, stderr, server = Open3.popen3('vault server -dev')
22
38
  cleanup = lambda do |_|
@@ -40,9 +56,20 @@ RSpec.configure do |config|
40
56
  config.raise_errors_for_deprecations!
41
57
  end
42
58
 
59
+ Aws.config.update(
60
+ credentials: Aws::Credentials.new(ENV['AWS_ACCESS_KEY_ID'],
61
+ ENV['AWS_SECRET_ACCESS_KEY'])
62
+ )
63
+
64
+ def iam_client
65
+ @iam_client ||= Aws::IAM::Client.new
66
+ end
67
+
68
+
43
69
  @server = vault_server
44
70
  signatories = {'pki-intermediate': 'pki-root'}
45
71
 
46
72
  Vault::Provision.new(EXAMPLE_DIR,
47
73
  intermediate_issuer: signatories,
74
+ aws_update_creds: ! ENV['AWS_SECRET_ACCESS_KEY'].nil?,
48
75
  pki_allow_destructive: true).provision!
@@ -111,4 +111,55 @@ describe Vault::Provision do
111
111
  expect(yummy[:data]).to be
112
112
  expect(yummy[:data][:bear]).to be == '🐻 rawr!'
113
113
  end
114
+
115
+ it "has AWS roles" do
116
+ resp = client.get 'v1/aws/roles/iam-full-access'
117
+ expect(resp[:data]).to be
118
+ expect(resp[:data][:arn]).to be == 'arn:aws:iam::aws:policy/IAMFullAccess'
119
+ end
120
+
121
+ it "does not have nonexistant AWS roles" do
122
+ expect {
123
+ client.get('v1/aws/roles/your-mom')
124
+ }.to raise_error(Vault::HTTPClientError)
125
+ end
126
+
127
+ it "can create valid IAM credentials with AWS managed policies" do
128
+ unless ENV['AWS_ACCESS_KEY_ID'] && ENV['AWS_SECRET_ACCESS_KEY']
129
+ skip "To test - plz set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY"
130
+ end
131
+
132
+ VCR.use_cassette('aws-secret-iam-full', tag: :aws_secret) do
133
+ resp = client.get 'v1/aws/creds/iam-full-access'
134
+ expect(resp[:data]).to be
135
+
136
+ access_key = resp[:data][:access_key]
137
+ secret_key = resp[:data][:secret_key]
138
+
139
+ expect(access_key).to match(%r{\AAKIA})
140
+ expect(secret_key).to be
141
+
142
+ last_used = iam_client.get_access_key_last_used access_key_id: access_key
143
+ expect(last_used).to be
144
+ expect(last_used.user_name).to be
145
+ end
146
+ end
147
+ it "can create valid IAM credentials with custom policies" do
148
+ unless ENV['AWS_ACCESS_KEY_ID'] && ENV['AWS_SECRET_ACCESS_KEY']
149
+ skip "To test - plz set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY"
150
+ end
151
+
152
+ VCR.use_cassette('aws-secret-custom', tag: :aws_secret) do
153
+ resp = client.get 'v1/aws/creds/s3-bucket-custom'
154
+ expect(resp[:data]).to be
155
+
156
+ access_key = resp[:data][:access_key]
157
+ secret_key = resp[:data][:secret_key]
158
+ expect(access_key).to match(%r{\AAKIA})
159
+ expect(secret_key).to be
160
+ last_used = iam_client.get_access_key_last_used access_key_id: access_key
161
+ expect(last_used).to be
162
+ expect(last_used.user_name).to be
163
+ end
164
+ end
114
165
  end
@@ -0,0 +1,101 @@
1
+ ---
2
+ http_interactions:
3
+ - request:
4
+ method: get
5
+ uri: http://127.0.0.1:8200/v1/aws/creds/s3-bucket-custom
6
+ body:
7
+ encoding: US-ASCII
8
+ string: ''
9
+ headers:
10
+ Accept-Encoding:
11
+ - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
12
+ Accept:
13
+ - "*/*"
14
+ - application/json
15
+ User-Agent:
16
+ - Ruby
17
+ - VaultRuby/0.10.1 (+github.com/hashicorp/vault-ruby)
18
+ Content-Type:
19
+ - application/json
20
+ X-Vault-Token:
21
+ - "<SOME_VAULT_TOKEN>"
22
+ Connection:
23
+ - keep-alive
24
+ Keep-Alive:
25
+ - 30
26
+ response:
27
+ status:
28
+ code: 200
29
+ message: OK
30
+ headers:
31
+ Cache-Control:
32
+ - no-store
33
+ Content-Type:
34
+ - application/json
35
+ Date:
36
+ - Tue, 27 Jun 2017 04:20:00 GMT
37
+ Content-Length:
38
+ - '341'
39
+ body:
40
+ encoding: UTF-8
41
+ string: '{"request_id":"4528ce31-0035-c0d4-cdf7-88b6609f4d39","lease_id":"aws/creds/s3-bucket-custom/8a4b6841-9d84-5d22-1c34-833db38505bc","renewable":true,"lease_duration":1382400,"data":{"access_key":"AKIAJFFYUHMANU2HTQMA","secret_key":"👻","security_token":null},"wrap_info":null,"warnings":null,"auth":null}
42
+
43
+ '
44
+ http_version:
45
+ recorded_at: Tue, 27 Jun 2017 04:20:00 GMT
46
+ - request:
47
+ method: post
48
+ uri: https://iam.amazonaws.com/
49
+ body:
50
+ encoding: UTF-8
51
+ string: AccessKeyId=AKIAJFFYUHMANU2HTQMA&Action=GetAccessKeyLastUsed&Version=2010-05-08
52
+ headers:
53
+ Content-Type:
54
+ - application/x-www-form-urlencoded; charset=utf-8
55
+ Accept-Encoding:
56
+ - ''
57
+ User-Agent:
58
+ - aws-sdk-ruby2/2.10.3 ruby/2.4.1 x86_64-darwin16
59
+ X-Amz-Date:
60
+ - 20170627T042000Z
61
+ Host:
62
+ - iam.amazonaws.com
63
+ X-Amz-Content-Sha256:
64
+ - cfefefd3f69aeb1bd3e0b4e716a1d631045bb8927d42e70c3a66e839d36405b0
65
+ Authorization:
66
+ - "<SOME_AUTHZ_HEADER>"
67
+ Content-Length:
68
+ - '79'
69
+ Accept:
70
+ - "*/*"
71
+ response:
72
+ status:
73
+ code: 200
74
+ message: OK
75
+ headers:
76
+ X-Amzn-Requestid:
77
+ - e30c57e7-5aef-11e7-8709-2f131dd3413d
78
+ Content-Type:
79
+ - text/xml
80
+ Content-Length:
81
+ - '466'
82
+ Date:
83
+ - Tue, 27 Jun 2017 04:20:00 GMT
84
+ body:
85
+ encoding: UTF-8
86
+ string: |
87
+ <GetAccessKeyLastUsedResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
88
+ <GetAccessKeyLastUsedResult>
89
+ <AccessKeyLastUsed>
90
+ <Region>N/A</Region>
91
+ <ServiceName>N/A</ServiceName>
92
+ </AccessKeyLastUsed>
93
+ <UserName>vault-token-s3-bucket-custom-1498537197-4154</UserName>
94
+ </GetAccessKeyLastUsedResult>
95
+ <ResponseMetadata>
96
+ <RequestId>e30c57e7-5aef-11e7-8709-2f131dd3413d</RequestId>
97
+ </ResponseMetadata>
98
+ </GetAccessKeyLastUsedResponse>
99
+ http_version:
100
+ recorded_at: Tue, 27 Jun 2017 04:20:01 GMT
101
+ recorded_with: VCR 3.0.3
@@ -0,0 +1,101 @@
1
+ ---
2
+ http_interactions:
3
+ - request:
4
+ method: get
5
+ uri: http://127.0.0.1:8200/v1/aws/creds/iam-full-access
6
+ body:
7
+ encoding: US-ASCII
8
+ string: ''
9
+ headers:
10
+ Accept-Encoding:
11
+ - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
12
+ Accept:
13
+ - "*/*"
14
+ - application/json
15
+ User-Agent:
16
+ - Ruby
17
+ - VaultRuby/0.10.1 (+github.com/hashicorp/vault-ruby)
18
+ Content-Type:
19
+ - application/json
20
+ X-Vault-Token:
21
+ - "<SOME_VAULT_TOKEN>"
22
+ Connection:
23
+ - keep-alive
24
+ Keep-Alive:
25
+ - 30
26
+ response:
27
+ status:
28
+ code: 200
29
+ message: OK
30
+ headers:
31
+ Cache-Control:
32
+ - no-store
33
+ Content-Type:
34
+ - application/json
35
+ Date:
36
+ - Tue, 27 Jun 2017 04:19:57 GMT
37
+ Content-Length:
38
+ - '340'
39
+ body:
40
+ encoding: UTF-8
41
+ string: '{"request_id":"bdd1533a-8fd5-53a5-3184-3f626e0db82d","lease_id":"aws/creds/iam-full-access/7223902d-b542-0424-1f24-ff035265b280","renewable":true,"lease_duration":1382400,"data":{"access_key":"AKIAJFIVGUHU7PZKXV5A","secret_key":"👻","security_token":null},"wrap_info":null,"warnings":null,"auth":null}
42
+
43
+ '
44
+ http_version:
45
+ recorded_at: Tue, 27 Jun 2017 04:19:57 GMT
46
+ - request:
47
+ method: post
48
+ uri: https://iam.amazonaws.com/
49
+ body:
50
+ encoding: UTF-8
51
+ string: AccessKeyId=AKIAJFIVGUHU7PZKXV5A&Action=GetAccessKeyLastUsed&Version=2010-05-08
52
+ headers:
53
+ Content-Type:
54
+ - application/x-www-form-urlencoded; charset=utf-8
55
+ Accept-Encoding:
56
+ - ''
57
+ User-Agent:
58
+ - aws-sdk-ruby2/2.10.3 ruby/2.4.1 x86_64-darwin16
59
+ X-Amz-Date:
60
+ - 20170627T041957Z
61
+ Host:
62
+ - iam.amazonaws.com
63
+ X-Amz-Content-Sha256:
64
+ - 165aba1489a27095f4e83bb72c0e1a79d6e9f969c59a5199ddab5ace04c36c77
65
+ Authorization:
66
+ - "<SOME_AUTHZ_HEADER>"
67
+ Content-Length:
68
+ - '79'
69
+ Accept:
70
+ - "*/*"
71
+ response:
72
+ status:
73
+ code: 200
74
+ message: OK
75
+ headers:
76
+ X-Amzn-Requestid:
77
+ - e122b092-5aef-11e7-9679-d5c1bf3ed860
78
+ Content-Type:
79
+ - text/xml
80
+ Content-Length:
81
+ - '464'
82
+ Date:
83
+ - Tue, 27 Jun 2017 04:19:57 GMT
84
+ body:
85
+ encoding: UTF-8
86
+ string: |
87
+ <GetAccessKeyLastUsedResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
88
+ <GetAccessKeyLastUsedResult>
89
+ <AccessKeyLastUsed>
90
+ <Region>N/A</Region>
91
+ <ServiceName>N/A</ServiceName>
92
+ </AccessKeyLastUsed>
93
+ <UserName>vault-token-iam-full-access-1498537194-774</UserName>
94
+ </GetAccessKeyLastUsedResult>
95
+ <ResponseMetadata>
96
+ <RequestId>e122b092-5aef-11e7-9679-d5c1bf3ed860</RequestId>
97
+ </ResponseMetadata>
98
+ </GetAccessKeyLastUsedResponse>
99
+ http_version:
100
+ recorded_at: Tue, 27 Jun 2017 04:19:57 GMT
101
+ recorded_with: VCR 3.0.3
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: vault-provision
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.8
4
+ version: 0.1.9
5
5
  platform: ruby
6
6
  authors:
7
7
  - Tom Maher
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-06-22 00:00:00.000000000 Z
11
+ date: 2017-06-27 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -99,6 +99,7 @@ files:
99
99
  - README.md
100
100
  - Rakefile
101
101
  - VERSION
102
+ - bin/vault-provision
102
103
  - examples/basic/auth/.keep
103
104
  - examples/basic/auth/approle/role/backends.json
104
105
  - examples/basic/auth/approle/role/frontends.json
@@ -110,6 +111,8 @@ files:
110
111
  - examples/basic/auth/ldap/groups/admin.json
111
112
  - examples/basic/auth/ldap/groups/operators.json
112
113
  - examples/basic/auth/token/.keep
114
+ - examples/basic/aws/roles/iam-full-access.json
115
+ - examples/basic/aws/roles/s3-bucket-custom.json
113
116
  - examples/basic/pki-intermediate/config/.keep
114
117
  - examples/basic/pki-intermediate/config/crl.json
115
118
  - examples/basic/pki-intermediate/config/urls.json
@@ -133,6 +136,7 @@ files:
133
136
  - examples/basic/sys/auth/ldap.json
134
137
  - examples/basic/sys/auth/token.json
135
138
  - examples/basic/sys/mounts/.keep
139
+ - examples/basic/sys/mounts/aws.json
136
140
  - examples/basic/sys/mounts/cubbyhole.json
137
141
  - examples/basic/sys/mounts/pki-intermediate.json
138
142
  - examples/basic/sys/mounts/pki-intermediate/tune.json
@@ -154,6 +158,8 @@ files:
154
158
  - lib/vault/provision/auth/ldap.rb
155
159
  - lib/vault/provision/auth/ldap/config.rb
156
160
  - lib/vault/provision/auth/ldap/groups.rb
161
+ - lib/vault/provision/aws.rb
162
+ - lib/vault/provision/aws/secret-backend.rb
157
163
  - lib/vault/provision/generic.rb
158
164
  - lib/vault/provision/pki.rb
159
165
  - lib/vault/provision/pki/config.rb
@@ -174,8 +180,11 @@ files:
174
180
  - lib/vault/provision/sys/auth.rb
175
181
  - lib/vault/provision/sys/policy.rb
176
182
  - lib/vault_provision.rb
183
+ - log/.keep
177
184
  - spec/spec_helper.rb
178
185
  - spec/vault_provision_spec.rb
186
+ - spec/vcr_cassettes/aws-secret-custom.yml
187
+ - spec/vcr_cassettes/aws-secret-iam-full.yml
179
188
  - vault-provision.gemspec
180
189
  homepage: https://github.com/tmaher/vault-provision
181
190
  licenses: