vault-provision 0.1.8 → 0.1.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 2b899b07ba3632b5568363ad5dd4f0c446eb3c19
-  data.tar.gz: b88d77a6a1fd6848022025963a9be18390afe997
+  metadata.gz: 0edcd40874242ad1c2e953a14261cb02ad1e0ef9
+  data.tar.gz: bfb7aff56d0bf2c7fe54c12c7d2601e84c43d6f9
 SHA512:
-  metadata.gz: fe576f3c3c977abce9e97da0181d3fb948c057791f18b12c470cc1f82b61e3519af167389139eadf6ffea144cf1c98ffa11824dfe1606d3af9c040443f94e7c2
-  data.tar.gz: 63b14e18917b623d5e448ed4524c887199a6757bafa9be2184a5309e070dc5eda386e63428d8f4ea666fbb87dbd8b7f3aa8fd0074616ede502bfc0d65e89e23e
+  metadata.gz: 68669b47d77cbd56423c1d105018bc01cb86351c118edbc728cfe65d58477d1656e315003e886df1f65aa1df016a04d33b5be17423556670f0810f3cd7228b09
+  data.tar.gz: 6d2810d47c3657ef12fd852929062ad89eead48d471a2293f1fbd481d568b3674df613ea922a36dd8ed55c704384b270ed6ce8276f9d3cc510d742ec62efbea6

data/.gitignore

@@ -10,3 +10,4 @@ coverage
 todo
 *.gem
 vendor/ruby
+log/*.log

data/.rubocop.yml

@@ -1,2 +1,5 @@
 Style/ClassAndModuleChildren:
   EnforcedStyle: compact
+
+Style/StringLiterals:
+  Enabled: false

data/Gemfile

@@ -3,9 +3,17 @@ source 'https://rubygems.org'
 gemspec
 
 gem 'rake',       '~>12.0'
-gem 'rspec',      '~>3.5.0'
-gem 'rspec-core', '~>3.5.4'
 
 gem 'activesupport', '~>5.0.2'
 gem 'rhcl',          '~>0.1.0'
 gem 'vault',         '~>0.10'
+
+group :development, :test do
+  gem 'aws-sdk',        '~>2.10.3'
+  gem 'rspec',          '~>3.6.0'
+  gem 'rspec-core',     '~>3.6.0'
+  gem 'rubocop',        '~>0.49.1'
+  gem 'rubocop-github', '~>0.5.0'
+  gem 'vcr',            '~>3.0.3'
+  gem 'webmock',        '~>3.0.1'
+end

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    vault-provision (0.1.7)
+    vault-provision (0.1.8)
       activesupport (~> 5.0, >= 5.0.2)
       rhcl (~> 0.1.0)
       vault (~> 0.10)
@@ -14,43 +14,87 @@ GEM
       i18n (~> 0.7)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
+    addressable (2.5.1)
+      public_suffix (~> 2.0, >= 2.0.2)
+    ast (2.3.0)
+    aws-sdk (2.10.3)
+      aws-sdk-resources (= 2.10.3)
+    aws-sdk-core (2.10.3)
+      aws-sigv4 (~> 1.0)
+      jmespath (~> 1.0)
+    aws-sdk-resources (2.10.3)
+      aws-sdk-core (= 2.10.3)
+    aws-sigv4 (1.0.0)
     concurrent-ruby (1.0.5)
+    crack (0.4.3)
+      safe_yaml (~> 1.0.0)
     deep_merge (1.1.1)
     diff-lcs (1.3)
+    hashdiff (0.3.4)
     i18n (0.8.4)
+    jmespath (1.3.1)
     minitest (5.10.2)
+    parallel (1.11.2)
+    parser (2.4.0.0)
+      ast (~> 2.2)
+    powerpack (0.1.1)
+    public_suffix (2.0.5)
+    rainbow (2.2.2)
+      rake
     rake (12.0.0)
     rhcl (0.1.0)
       deep_merge
-    rspec (3.5.0)
-      rspec-core (~> 3.5.0)
-      rspec-expectations (~> 3.5.0)
-      rspec-mocks (~> 3.5.0)
-    rspec-core (3.5.4)
-      rspec-support (~> 3.5.0)
-    rspec-expectations (3.5.0)
+    rspec (3.6.0)
+      rspec-core (~> 3.6.0)
+      rspec-expectations (~> 3.6.0)
+      rspec-mocks (~> 3.6.0)
+    rspec-core (3.6.0)
+      rspec-support (~> 3.6.0)
+    rspec-expectations (3.6.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.5.0)
-    rspec-mocks (3.5.0)
+      rspec-support (~> 3.6.0)
+    rspec-mocks (3.6.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.5.0)
-    rspec-support (3.5.0)
+      rspec-support (~> 3.6.0)
+    rspec-support (3.6.0)
+    rubocop (0.49.1)
+      parallel (~> 1.10)
+      parser (>= 2.3.3.1, < 3.0)
+      powerpack (~> 0.1)
+      rainbow (>= 1.99.1, < 3.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (~> 1.0, >= 1.0.1)
+    rubocop-github (0.5.0)
+      rubocop (~> 0.49)
+    ruby-progressbar (1.8.1)
+    safe_yaml (1.0.4)
     thread_safe (0.3.6)
     tzinfo (1.2.3)
       thread_safe (~> 0.1)
+    unicode-display_width (1.3.0)
     vault (0.10.1)
+    vcr (3.0.3)
+    webmock (3.0.1)
+      addressable (>= 2.3.6)
+      crack (>= 0.3.2)
+      hashdiff
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
   activesupport (~> 5.0.2)
+  aws-sdk (~> 2.10.3)
   rake (~> 12.0)
   rhcl (~> 0.1.0)
-  rspec (~> 3.5.0)
-  rspec-core (~> 3.5.4)
+  rspec (~> 3.6.0)
+  rspec-core (~> 3.6.0)
+  rubocop (~> 0.49.1)
+  rubocop-github (~> 0.5.0)
   vault (~> 0.10)
   vault-provision!
+  vcr (~> 3.0.3)
+  webmock (~> 3.0.1)
 
 BUNDLED WITH
    1.15.1

data/VERSION

@@ -1 +1 @@
-0.1.8
+0.1.9

data/bin/vault-provision

@@ -0,0 +1,44 @@
+#!/usr/bin/env ruby
+
+require 'trollop'
+require 'vault'
+require 'vault_provision'
+
+prog_name = File.basename $PROGRAM_NAME
+opts = Trollop.options do
+  banner <<-EOS
+Provision a Vault configuration
+
+Usage:
+
+$ export VAULT_ADDR='https://<my-vault-server:8200>'
+$ export VAULT_TOKEN=<my-vault-root-token>
+$ #{prog_name} --dir /path/to/provisioning-data
+.
+EOS
+  opt :dir,
+      'Root directory of provisioning data. For example, ./bin/vault-provision --dir ./examples/basic',
+      type: :string
+  opt :destructive,
+      'Regenerate the PKI CA keys (DANGEROUS)',
+      default: false
+  opt :addr,
+      'vault address (overrides VAULT_ADDR)',
+      type: :string, default: ENV['VAULT_ADDR']
+  opt :token,
+      'vault token (overrides VAULT_TOKEN)',
+      type: :string, default: ENV['VAULT_TOKEN']
+end
+
+Trollop.die :dir, "need a directory" if opts[:dir].nil?
+Trollop.die :dir, "#{opts[:dir]} isn't a directory" unless FileTest.directory?(opts[:dir])
+
+Trollop.die :addr, "need VAULT_ADDR set"   unless opts[:addr]
+Trollop.die :token, "need VAULT_TOKEN set" unless opts[:token]
+
+signatories = {'pki-intermediate': 'pki-root'}
+Vault::Provision.new(opts[:dir],
+                     address: opts[:addr],
+                     token: opts[:token],
+                     intermediate_issuer: signatories,
+                     pki_allow_destructive: opts[:destructive]).provision!

data/examples/basic/aws/roles/iam-full-access.json

@@ -0,0 +1,3 @@
+{
+  "arn": "arn:aws:iam::aws:policy/IAMFullAccess"
+}

data/examples/basic/aws/roles/s3-bucket-custom.json

@@ -0,0 +1,15 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:*"
+            ],
+            "Resource": [
+                "arn:aws:s3:::my_bucket",
+                "arn:aws:s3:::my_bucket/*"
+            ]
+        }
+    ]
+}

data/examples/basic/sys/mounts/aws.json

@@ -0,0 +1,8 @@
+{
+  "config": {
+    "default_lease_ttl": "384h",
+    "max_lease_ttl": "768h"
+  },
+  "description": "AWS IAM Secrets as a Service (AISaaS)",
+  "type": "aws"
+}

data/lib/vault/provision/aws/secret-backend.rb

@@ -0,0 +1,74 @@
+# AWS Secret backend, or, IAM credentials as a service
+# https://www.vaultproject.io/docs/secrets/aws/index.html
+class Vault::Provision::Aws::SecretBackend < Vault::Provision::Prototype
+  AWS_REGION_DEFAULT = 'us-east-1'.freeze
+
+  class Vault::Provision::Aws::SecretBackend::NoCredsError < RuntimeError
+  end
+
+  attr_accessor :access_key, :secret_key, :region
+
+  def provision!
+    provision_config_and_creds!
+    provision_roles!
+  end
+
+  def provision_config_and_creds!
+    return unless @aws_update_creds
+    mounts_by_type('aws').each do |mp|
+      mp_prefix = mp.to_s == 'aws' ? '' : "#{mp}_"
+
+      @access_key = ENV["#{mp_prefix}AWS_ACCESS_KEY_ID"]
+      @secret_key = ENV["#{mp_prefix}AWS_SECRET_ACCESS_KEY"]
+      @region = ENV["#{mp_prefix}AWS_REGION"] || AWS_REGION_DEFAULT
+
+      if @access_key.nil? || @secret_key.nil?
+        raise NoCredsError,
+          "set environment variables #{mp_prefix}AWS_ACCESS_KEY_ID) and #{mp_prefix}AWS_SECRET_ACCESS_KEY"
+      end
+
+      aws_config = JSON.dump(access_key: @access_key,
+                             secret_key: @secret_key,
+                             region:     @region)
+
+      puts "  * AWS secret mount point #{mp} config (INCLUDING SECRET)"
+      @vault.post "v1/#{mp}/config/root", aws_config
+
+      lease_config = "#{@instance_dir}/#{mp}/config/lease.json"
+      next unless FileTest.readable? lease_config
+
+      validate_file! lease_config
+      puts "  * #{mp}/config/lease"
+      @vault.post "v1/#{mp}/config/lease", File.read(lease_config)
+    end
+  end
+
+  def normalize_role role_file_path
+    role_json = File.read(role_file_path)
+    role = JSON.parse(role_json)
+
+    if role['arn'] || role['policy']
+      role_json
+    elsif role['Version'] && role['Statement']
+      JSON.dump(policy: role_json)
+    end
+  end
+
+  def provision_roles!
+    mounts_by_type('aws').each do |mp|
+      next unless Dir.exist? "#{@instance_dir}/#{mp}"
+      puts "  * AWS secret mount point #{mp} roles"
+
+      Find.find("#{@instance_dir}/#{mp}/roles").each do |rf|
+        next unless rf.end_with? '.json'
+        validate_file! rf
+        role_definition = normalize_role rf
+        next if role_definition.nil?
+        role_path = rf.sub(%r{\A#{@instance_dir}\/}, '').sub(/.json\z/, '')
+
+        puts "    * #{role_path}"
+        @vault.post "v1/#{role_path}", role_definition
+      end
+    end
+  end
+end

data/lib/vault/provision/aws.rb

@@ -0,0 +1,3 @@
+class Vault::Provision::Aws; end
+
+require 'vault/provision/aws/secret-backend'

data/lib/vault/provision/prototype.rb

@@ -9,6 +9,7 @@ class Vault::Provision::Prototype
     @instance_dir = boss.instance_dir
     @intermediate_issuer = boss.intermediate_issuer
     @pki_allow_destructive = boss.pki_allow_destructive
+    @aws_update_creds = boss.aws_update_creds
   end
 
   def repo_prefix
@@ -24,12 +25,14 @@ class Vault::Provision::Prototype
     Find.find(repo_path).select { |rf| rf.end_with?('.json') }
   end
 
-  def repo_files_by_mount_type type
+  def mounts_by_type type
     mounts = @vault.sys.mounts
-    my_mounts = mounts.keys.select { |mp| mounts[mp].type == type }
+    mounts.keys.select { |mp| mounts[mp].type == type }
+  end
 
+  def repo_files_by_mount_type type
     files = []
-    my_mounts.each do |mp|
+    mounts_by_type(type).each do |mp|
       next unless Dir.exist? "#{@instance_dir}/#{mp}"
       Find.find("#{@instance_dir}/#{mp}").each do |rf|
         next unless rf.end_with? '.json'

data/lib/vault/provision.rb

@@ -8,22 +8,26 @@ require 'vault/provision/auth'
 require 'vault/provision/sys'
 require 'vault/provision/pki'
 require 'vault/provision/secret'
+require 'vault/provision/aws'
 
 # controller for the children
 class Vault::Provision
   SYSTEM_POLICIES = ['response-wrapping', 'root'].freeze
 
   attr_accessor :vault, :instance_dir,
-                :intermediate_issuer, :pki_allow_destructive
+                :intermediate_issuer, :pki_allow_destructive,
+                :aws_update_creds
 
   def initialize instance_dir,
                  address: ENV['VAULT_ADDR'],
                  token: ENV['VAULT_TOKEN'],
+                 aws_update_creds: false,
                  intermediate_issuer: {},
                  pki_allow_destructive: false
 
     @instance_dir = instance_dir
     @vault = Vault::Client.new address: address, token: token
+    @aws_update_creds = aws_update_creds
     @intermediate_issuer = intermediate_issuer
     @pki_allow_destructive = pki_allow_destructive
     @handlers = [
@@ -35,6 +39,7 @@ class Vault::Provision
       Pki::Config::Urls,
       Pki::Roles,
       Secret,
+      Aws::SecretBackend,
       Sys::Policy,
       Auth::Ldap::Groups,
       Auth::Approle

data/spec/spec_helper.rb

@@ -3,6 +3,8 @@ $: << "#{GEM_DIR}/lib"
 
 require 'vault_provision'
 require 'open3'
+require 'aws-sdk'
+require 'vcr'
 
 DEV_VAULT_TOKEN                = 'kittens'.freeze
 DEV_VAULT_ADDR                 = 'http://127.0.0.1:8200'.freeze
@@ -17,6 +19,20 @@ Vault.configure do |config|
   config.token = DEV_VAULT_TOKEN
 end
 
+VCR.configure do |config|
+  config.cassette_library_dir = "spec/vcr_cassettes"
+  config.debug_logger = File.open("log/vcr.log", 'w')
+  config.hook_into :webmock
+  config.allow_http_connections_when_no_cassette = true
+
+  config.filter_sensitive_data('<SOME_VAULT_TOKEN>') do |i|
+    i.request.headers['X-Vault-Token'].first unless i.request.headers['X-Vault-Token'].nil?
+  end
+  config.filter_sensitive_data('<SOME_AUTHZ_HEADER>') do |i|
+    i.request.headers['Authorization'].first unless i.request.headers['Authorization'].nil?
+  end
+end
+
 def vault_server
   stdin, stdout, stderr, server = Open3.popen3('vault server -dev')
   cleanup = lambda do |_|
@@ -40,9 +56,20 @@ RSpec.configure do |config|
   config.raise_errors_for_deprecations!
 end
 
+Aws.config.update(
+  credentials: Aws::Credentials.new(ENV['AWS_ACCESS_KEY_ID'],
+                                    ENV['AWS_SECRET_ACCESS_KEY'])
+)
+
+def iam_client
+  @iam_client ||= Aws::IAM::Client.new
+end
+
+
 @server = vault_server
 signatories = {'pki-intermediate': 'pki-root'}
 
 Vault::Provision.new(EXAMPLE_DIR,
                      intermediate_issuer: signatories,
+                     aws_update_creds: ! ENV['AWS_SECRET_ACCESS_KEY'].nil?,
                      pki_allow_destructive: true).provision!

data/spec/vault_provision_spec.rb

@@ -111,4 +111,55 @@ describe Vault::Provision do
     expect(yummy[:data]).to be
     expect(yummy[:data][:bear]).to be == '🐻  rawr!'
   end
+
+  it "has AWS roles" do
+    resp = client.get 'v1/aws/roles/iam-full-access'
+    expect(resp[:data]).to be
+    expect(resp[:data][:arn]).to be == 'arn:aws:iam::aws:policy/IAMFullAccess'
+  end
+
+  it "does not have nonexistant AWS roles" do
+    expect {
+      client.get('v1/aws/roles/your-mom')
+    }.to raise_error(Vault::HTTPClientError)
+  end
+
+  it "can create valid IAM credentials with AWS managed policies" do
+    unless ENV['AWS_ACCESS_KEY_ID'] && ENV['AWS_SECRET_ACCESS_KEY']
+      skip "To test - plz set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY"
+    end
+
+    VCR.use_cassette('aws-secret-iam-full', tag: :aws_secret) do
+      resp = client.get 'v1/aws/creds/iam-full-access'
+      expect(resp[:data]).to be
+
+      access_key = resp[:data][:access_key]
+      secret_key = resp[:data][:secret_key]
+
+      expect(access_key).to match(%r{\AAKIA})
+      expect(secret_key).to be
+
+      last_used = iam_client.get_access_key_last_used access_key_id: access_key
+      expect(last_used).to be
+      expect(last_used.user_name).to be
+    end
+  end
+  it "can create valid IAM credentials with custom policies" do
+    unless ENV['AWS_ACCESS_KEY_ID'] && ENV['AWS_SECRET_ACCESS_KEY']
+      skip "To test - plz set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY"
+    end
+
+    VCR.use_cassette('aws-secret-custom', tag: :aws_secret) do
+      resp = client.get 'v1/aws/creds/s3-bucket-custom'
+      expect(resp[:data]).to be
+
+      access_key = resp[:data][:access_key]
+      secret_key = resp[:data][:secret_key]
+      expect(access_key).to match(%r{\AAKIA})
+      expect(secret_key).to be
+      last_used = iam_client.get_access_key_last_used access_key_id: access_key
+      expect(last_used).to be
+      expect(last_used.user_name).to be
+    end
+  end
 end

data/spec/vcr_cassettes/aws-secret-custom.yml

@@ -0,0 +1,101 @@
+---
+http_interactions:
+- request:
+    method: get
+    uri: http://127.0.0.1:8200/v1/aws/creds/s3-bucket-custom
+    body:
+      encoding: US-ASCII
+      string: ''
+    headers:
+      Accept-Encoding:
+      - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+      Accept:
+      - "*/*"
+      - application/json
+      User-Agent:
+      - Ruby
+      - VaultRuby/0.10.1 (+github.com/hashicorp/vault-ruby)
+      Content-Type:
+      - application/json
+      X-Vault-Token:
+      - "<SOME_VAULT_TOKEN>"
+      Connection:
+      - keep-alive
+      Keep-Alive:
+      - 30
+  response:
+    status:
+      code: 200
+      message: OK
+    headers:
+      Cache-Control:
+      - no-store
+      Content-Type:
+      - application/json
+      Date:
+      - Tue, 27 Jun 2017 04:20:00 GMT
+      Content-Length:
+      - '341'
+    body:
+      encoding: UTF-8
+      string: '{"request_id":"4528ce31-0035-c0d4-cdf7-88b6609f4d39","lease_id":"aws/creds/s3-bucket-custom/8a4b6841-9d84-5d22-1c34-833db38505bc","renewable":true,"lease_duration":1382400,"data":{"access_key":"AKIAJFFYUHMANU2HTQMA","secret_key":"👻","security_token":null},"wrap_info":null,"warnings":null,"auth":null}
+
+'
+    http_version:
+  recorded_at: Tue, 27 Jun 2017 04:20:00 GMT
+- request:
+    method: post
+    uri: https://iam.amazonaws.com/
+    body:
+      encoding: UTF-8
+      string: AccessKeyId=AKIAJFFYUHMANU2HTQMA&Action=GetAccessKeyLastUsed&Version=2010-05-08
+    headers:
+      Content-Type:
+      - application/x-www-form-urlencoded; charset=utf-8
+      Accept-Encoding:
+      - ''
+      User-Agent:
+      - aws-sdk-ruby2/2.10.3 ruby/2.4.1 x86_64-darwin16
+      X-Amz-Date:
+      - 20170627T042000Z
+      Host:
+      - iam.amazonaws.com
+      X-Amz-Content-Sha256:
+      - cfefefd3f69aeb1bd3e0b4e716a1d631045bb8927d42e70c3a66e839d36405b0
+      Authorization:
+      - "<SOME_AUTHZ_HEADER>"
+      Content-Length:
+      - '79'
+      Accept:
+      - "*/*"
+  response:
+    status:
+      code: 200
+      message: OK
+    headers:
+      X-Amzn-Requestid:
+      - e30c57e7-5aef-11e7-8709-2f131dd3413d
+      Content-Type:
+      - text/xml
+      Content-Length:
+      - '466'
+      Date:
+      - Tue, 27 Jun 2017 04:20:00 GMT
+    body:
+      encoding: UTF-8
+      string: |
+        <GetAccessKeyLastUsedResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
+          <GetAccessKeyLastUsedResult>
+            <AccessKeyLastUsed>
+              <Region>N/A</Region>
+              <ServiceName>N/A</ServiceName>
+            </AccessKeyLastUsed>
+            <UserName>vault-token-s3-bucket-custom-1498537197-4154</UserName>
+          </GetAccessKeyLastUsedResult>
+          <ResponseMetadata>
+            <RequestId>e30c57e7-5aef-11e7-8709-2f131dd3413d</RequestId>
+          </ResponseMetadata>
+        </GetAccessKeyLastUsedResponse>
+    http_version:
+  recorded_at: Tue, 27 Jun 2017 04:20:01 GMT
+recorded_with: VCR 3.0.3

data/spec/vcr_cassettes/aws-secret-iam-full.yml

@@ -0,0 +1,101 @@
+---
+http_interactions:
+- request:
+    method: get
+    uri: http://127.0.0.1:8200/v1/aws/creds/iam-full-access
+    body:
+      encoding: US-ASCII
+      string: ''
+    headers:
+      Accept-Encoding:
+      - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+      Accept:
+      - "*/*"
+      - application/json
+      User-Agent:
+      - Ruby
+      - VaultRuby/0.10.1 (+github.com/hashicorp/vault-ruby)
+      Content-Type:
+      - application/json
+      X-Vault-Token:
+      - "<SOME_VAULT_TOKEN>"
+      Connection:
+      - keep-alive
+      Keep-Alive:
+      - 30
+  response:
+    status:
+      code: 200
+      message: OK
+    headers:
+      Cache-Control:
+      - no-store
+      Content-Type:
+      - application/json
+      Date:
+      - Tue, 27 Jun 2017 04:19:57 GMT
+      Content-Length:
+      - '340'
+    body:
+      encoding: UTF-8
+      string: '{"request_id":"bdd1533a-8fd5-53a5-3184-3f626e0db82d","lease_id":"aws/creds/iam-full-access/7223902d-b542-0424-1f24-ff035265b280","renewable":true,"lease_duration":1382400,"data":{"access_key":"AKIAJFIVGUHU7PZKXV5A","secret_key":"👻","security_token":null},"wrap_info":null,"warnings":null,"auth":null}
+
+'
+    http_version:
+  recorded_at: Tue, 27 Jun 2017 04:19:57 GMT
+- request:
+    method: post
+    uri: https://iam.amazonaws.com/
+    body:
+      encoding: UTF-8
+      string: AccessKeyId=AKIAJFIVGUHU7PZKXV5A&Action=GetAccessKeyLastUsed&Version=2010-05-08
+    headers:
+      Content-Type:
+      - application/x-www-form-urlencoded; charset=utf-8
+      Accept-Encoding:
+      - ''
+      User-Agent:
+      - aws-sdk-ruby2/2.10.3 ruby/2.4.1 x86_64-darwin16
+      X-Amz-Date:
+      - 20170627T041957Z
+      Host:
+      - iam.amazonaws.com
+      X-Amz-Content-Sha256:
+      - 165aba1489a27095f4e83bb72c0e1a79d6e9f969c59a5199ddab5ace04c36c77
+      Authorization:
+      - "<SOME_AUTHZ_HEADER>"
+      Content-Length:
+      - '79'
+      Accept:
+      - "*/*"
+  response:
+    status:
+      code: 200
+      message: OK
+    headers:
+      X-Amzn-Requestid:
+      - e122b092-5aef-11e7-9679-d5c1bf3ed860
+      Content-Type:
+      - text/xml
+      Content-Length:
+      - '464'
+      Date:
+      - Tue, 27 Jun 2017 04:19:57 GMT
+    body:
+      encoding: UTF-8
+      string: |
+        <GetAccessKeyLastUsedResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
+          <GetAccessKeyLastUsedResult>
+            <AccessKeyLastUsed>
+              <Region>N/A</Region>
+              <ServiceName>N/A</ServiceName>
+            </AccessKeyLastUsed>
+            <UserName>vault-token-iam-full-access-1498537194-774</UserName>
+          </GetAccessKeyLastUsedResult>
+          <ResponseMetadata>
+            <RequestId>e122b092-5aef-11e7-9679-d5c1bf3ed860</RequestId>
+          </ResponseMetadata>
+        </GetAccessKeyLastUsedResponse>
+    http_version:
+  recorded_at: Tue, 27 Jun 2017 04:19:57 GMT
+recorded_with: VCR 3.0.3

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: vault-provision
 version: !ruby/object:Gem::Version
-  version: 0.1.8
+  version: 0.1.9
 platform: ruby
 authors:
 - Tom Maher
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-06-22 00:00:00.000000000 Z
+date: 2017-06-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -99,6 +99,7 @@ files:
 - README.md
 - Rakefile
 - VERSION
+- bin/vault-provision
 - examples/basic/auth/.keep
 - examples/basic/auth/approle/role/backends.json
 - examples/basic/auth/approle/role/frontends.json
@@ -110,6 +111,8 @@ files:
 - examples/basic/auth/ldap/groups/admin.json
 - examples/basic/auth/ldap/groups/operators.json
 - examples/basic/auth/token/.keep
+- examples/basic/aws/roles/iam-full-access.json
+- examples/basic/aws/roles/s3-bucket-custom.json
 - examples/basic/pki-intermediate/config/.keep
 - examples/basic/pki-intermediate/config/crl.json
 - examples/basic/pki-intermediate/config/urls.json
@@ -133,6 +136,7 @@ files:
 - examples/basic/sys/auth/ldap.json
 - examples/basic/sys/auth/token.json
 - examples/basic/sys/mounts/.keep
+- examples/basic/sys/mounts/aws.json
 - examples/basic/sys/mounts/cubbyhole.json
 - examples/basic/sys/mounts/pki-intermediate.json
 - examples/basic/sys/mounts/pki-intermediate/tune.json
@@ -154,6 +158,8 @@ files:
 - lib/vault/provision/auth/ldap.rb
 - lib/vault/provision/auth/ldap/config.rb
 - lib/vault/provision/auth/ldap/groups.rb
+- lib/vault/provision/aws.rb
+- lib/vault/provision/aws/secret-backend.rb
 - lib/vault/provision/generic.rb
 - lib/vault/provision/pki.rb
 - lib/vault/provision/pki/config.rb
@@ -174,8 +180,11 @@ files:
 - lib/vault/provision/sys/auth.rb
 - lib/vault/provision/sys/policy.rb
 - lib/vault_provision.rb
+- log/.keep
 - spec/spec_helper.rb
 - spec/vault_provision_spec.rb
+- spec/vcr_cassettes/aws-secret-custom.yml
+- spec/vcr_cassettes/aws-secret-iam-full.yml
 - vault-provision.gemspec
 homepage: https://github.com/tmaher/vault-provision
 licenses: