vault-provision 0.1.8 → 0.1.9
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +1 -0
- data/.rubocop.yml +3 -0
- data/Gemfile +10 -2
- data/Gemfile.lock +58 -14
- data/VERSION +1 -1
- data/bin/vault-provision +44 -0
- data/examples/basic/aws/roles/iam-full-access.json +3 -0
- data/examples/basic/aws/roles/s3-bucket-custom.json +15 -0
- data/examples/basic/sys/mounts/aws.json +8 -0
- data/lib/vault/provision/aws/secret-backend.rb +74 -0
- data/lib/vault/provision/aws.rb +3 -0
- data/lib/vault/provision/prototype.rb +6 -3
- data/lib/vault/provision.rb +6 -1
- data/log/.keep +0 -0
- data/spec/spec_helper.rb +27 -0
- data/spec/vault_provision_spec.rb +51 -0
- data/spec/vcr_cassettes/aws-secret-custom.yml +101 -0
- data/spec/vcr_cassettes/aws-secret-iam-full.yml +101 -0
- metadata +11 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 0edcd40874242ad1c2e953a14261cb02ad1e0ef9
|
4
|
+
data.tar.gz: bfb7aff56d0bf2c7fe54c12c7d2601e84c43d6f9
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 68669b47d77cbd56423c1d105018bc01cb86351c118edbc728cfe65d58477d1656e315003e886df1f65aa1df016a04d33b5be17423556670f0810f3cd7228b09
|
7
|
+
data.tar.gz: 6d2810d47c3657ef12fd852929062ad89eead48d471a2293f1fbd481d568b3674df613ea922a36dd8ed55c704384b270ed6ce8276f9d3cc510d742ec62efbea6
|
data/.gitignore
CHANGED
data/.rubocop.yml
CHANGED
data/Gemfile
CHANGED
@@ -3,9 +3,17 @@ source 'https://rubygems.org'
|
|
3
3
|
gemspec
|
4
4
|
|
5
5
|
gem 'rake', '~>12.0'
|
6
|
-
gem 'rspec', '~>3.5.0'
|
7
|
-
gem 'rspec-core', '~>3.5.4'
|
8
6
|
|
9
7
|
gem 'activesupport', '~>5.0.2'
|
10
8
|
gem 'rhcl', '~>0.1.0'
|
11
9
|
gem 'vault', '~>0.10'
|
10
|
+
|
11
|
+
group :development, :test do
|
12
|
+
gem 'aws-sdk', '~>2.10.3'
|
13
|
+
gem 'rspec', '~>3.6.0'
|
14
|
+
gem 'rspec-core', '~>3.6.0'
|
15
|
+
gem 'rubocop', '~>0.49.1'
|
16
|
+
gem 'rubocop-github', '~>0.5.0'
|
17
|
+
gem 'vcr', '~>3.0.3'
|
18
|
+
gem 'webmock', '~>3.0.1'
|
19
|
+
end
|
data/Gemfile.lock
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
vault-provision (0.1.
|
4
|
+
vault-provision (0.1.8)
|
5
5
|
activesupport (~> 5.0, >= 5.0.2)
|
6
6
|
rhcl (~> 0.1.0)
|
7
7
|
vault (~> 0.10)
|
@@ -14,43 +14,87 @@ GEM
|
|
14
14
|
i18n (~> 0.7)
|
15
15
|
minitest (~> 5.1)
|
16
16
|
tzinfo (~> 1.1)
|
17
|
+
addressable (2.5.1)
|
18
|
+
public_suffix (~> 2.0, >= 2.0.2)
|
19
|
+
ast (2.3.0)
|
20
|
+
aws-sdk (2.10.3)
|
21
|
+
aws-sdk-resources (= 2.10.3)
|
22
|
+
aws-sdk-core (2.10.3)
|
23
|
+
aws-sigv4 (~> 1.0)
|
24
|
+
jmespath (~> 1.0)
|
25
|
+
aws-sdk-resources (2.10.3)
|
26
|
+
aws-sdk-core (= 2.10.3)
|
27
|
+
aws-sigv4 (1.0.0)
|
17
28
|
concurrent-ruby (1.0.5)
|
29
|
+
crack (0.4.3)
|
30
|
+
safe_yaml (~> 1.0.0)
|
18
31
|
deep_merge (1.1.1)
|
19
32
|
diff-lcs (1.3)
|
33
|
+
hashdiff (0.3.4)
|
20
34
|
i18n (0.8.4)
|
35
|
+
jmespath (1.3.1)
|
21
36
|
minitest (5.10.2)
|
37
|
+
parallel (1.11.2)
|
38
|
+
parser (2.4.0.0)
|
39
|
+
ast (~> 2.2)
|
40
|
+
powerpack (0.1.1)
|
41
|
+
public_suffix (2.0.5)
|
42
|
+
rainbow (2.2.2)
|
43
|
+
rake
|
22
44
|
rake (12.0.0)
|
23
45
|
rhcl (0.1.0)
|
24
46
|
deep_merge
|
25
|
-
rspec (3.
|
26
|
-
rspec-core (~> 3.
|
27
|
-
rspec-expectations (~> 3.
|
28
|
-
rspec-mocks (~> 3.
|
29
|
-
rspec-core (3.
|
30
|
-
rspec-support (~> 3.
|
31
|
-
rspec-expectations (3.
|
47
|
+
rspec (3.6.0)
|
48
|
+
rspec-core (~> 3.6.0)
|
49
|
+
rspec-expectations (~> 3.6.0)
|
50
|
+
rspec-mocks (~> 3.6.0)
|
51
|
+
rspec-core (3.6.0)
|
52
|
+
rspec-support (~> 3.6.0)
|
53
|
+
rspec-expectations (3.6.0)
|
32
54
|
diff-lcs (>= 1.2.0, < 2.0)
|
33
|
-
rspec-support (~> 3.
|
34
|
-
rspec-mocks (3.
|
55
|
+
rspec-support (~> 3.6.0)
|
56
|
+
rspec-mocks (3.6.0)
|
35
57
|
diff-lcs (>= 1.2.0, < 2.0)
|
36
|
-
rspec-support (~> 3.
|
37
|
-
rspec-support (3.
|
58
|
+
rspec-support (~> 3.6.0)
|
59
|
+
rspec-support (3.6.0)
|
60
|
+
rubocop (0.49.1)
|
61
|
+
parallel (~> 1.10)
|
62
|
+
parser (>= 2.3.3.1, < 3.0)
|
63
|
+
powerpack (~> 0.1)
|
64
|
+
rainbow (>= 1.99.1, < 3.0)
|
65
|
+
ruby-progressbar (~> 1.7)
|
66
|
+
unicode-display_width (~> 1.0, >= 1.0.1)
|
67
|
+
rubocop-github (0.5.0)
|
68
|
+
rubocop (~> 0.49)
|
69
|
+
ruby-progressbar (1.8.1)
|
70
|
+
safe_yaml (1.0.4)
|
38
71
|
thread_safe (0.3.6)
|
39
72
|
tzinfo (1.2.3)
|
40
73
|
thread_safe (~> 0.1)
|
74
|
+
unicode-display_width (1.3.0)
|
41
75
|
vault (0.10.1)
|
76
|
+
vcr (3.0.3)
|
77
|
+
webmock (3.0.1)
|
78
|
+
addressable (>= 2.3.6)
|
79
|
+
crack (>= 0.3.2)
|
80
|
+
hashdiff
|
42
81
|
|
43
82
|
PLATFORMS
|
44
83
|
ruby
|
45
84
|
|
46
85
|
DEPENDENCIES
|
47
86
|
activesupport (~> 5.0.2)
|
87
|
+
aws-sdk (~> 2.10.3)
|
48
88
|
rake (~> 12.0)
|
49
89
|
rhcl (~> 0.1.0)
|
50
|
-
rspec (~> 3.
|
51
|
-
rspec-core (~> 3.
|
90
|
+
rspec (~> 3.6.0)
|
91
|
+
rspec-core (~> 3.6.0)
|
92
|
+
rubocop (~> 0.49.1)
|
93
|
+
rubocop-github (~> 0.5.0)
|
52
94
|
vault (~> 0.10)
|
53
95
|
vault-provision!
|
96
|
+
vcr (~> 3.0.3)
|
97
|
+
webmock (~> 3.0.1)
|
54
98
|
|
55
99
|
BUNDLED WITH
|
56
100
|
1.15.1
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
0.1.
|
1
|
+
0.1.9
|
data/bin/vault-provision
ADDED
@@ -0,0 +1,44 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
|
3
|
+
require 'trollop'
|
4
|
+
require 'vault'
|
5
|
+
require 'vault_provision'
|
6
|
+
|
7
|
+
prog_name = File.basename $PROGRAM_NAME
|
8
|
+
opts = Trollop.options do
|
9
|
+
banner <<-EOS
|
10
|
+
Provision a Vault configuration
|
11
|
+
|
12
|
+
Usage:
|
13
|
+
|
14
|
+
$ export VAULT_ADDR='https://<my-vault-server:8200>'
|
15
|
+
$ export VAULT_TOKEN=<my-vault-root-token>
|
16
|
+
$ #{prog_name} --dir /path/to/provisioning-data
|
17
|
+
.
|
18
|
+
EOS
|
19
|
+
opt :dir,
|
20
|
+
'Root directory of provisioning data. For example, ./bin/vault-provision --dir ./examples/basic',
|
21
|
+
type: :string
|
22
|
+
opt :destructive,
|
23
|
+
'Regenerate the PKI CA keys (DANGEROUS)',
|
24
|
+
default: false
|
25
|
+
opt :addr,
|
26
|
+
'vault address (overrides VAULT_ADDR)',
|
27
|
+
type: :string, default: ENV['VAULT_ADDR']
|
28
|
+
opt :token,
|
29
|
+
'vault token (overrides VAULT_TOKEN)',
|
30
|
+
type: :string, default: ENV['VAULT_TOKEN']
|
31
|
+
end
|
32
|
+
|
33
|
+
Trollop.die :dir, "need a directory" if opts[:dir].nil?
|
34
|
+
Trollop.die :dir, "#{opts[:dir]} isn't a directory" unless FileTest.directory?(opts[:dir])
|
35
|
+
|
36
|
+
Trollop.die :addr, "need VAULT_ADDR set" unless opts[:addr]
|
37
|
+
Trollop.die :token, "need VAULT_TOKEN set" unless opts[:token]
|
38
|
+
|
39
|
+
signatories = {'pki-intermediate': 'pki-root'}
|
40
|
+
Vault::Provision.new(opts[:dir],
|
41
|
+
address: opts[:addr],
|
42
|
+
token: opts[:token],
|
43
|
+
intermediate_issuer: signatories,
|
44
|
+
pki_allow_destructive: opts[:destructive]).provision!
|
@@ -0,0 +1,74 @@
|
|
1
|
+
# AWS Secret backend, or, IAM credentials as a service
|
2
|
+
# https://www.vaultproject.io/docs/secrets/aws/index.html
|
3
|
+
class Vault::Provision::Aws::SecretBackend < Vault::Provision::Prototype
|
4
|
+
AWS_REGION_DEFAULT = 'us-east-1'.freeze
|
5
|
+
|
6
|
+
class Vault::Provision::Aws::SecretBackend::NoCredsError < RuntimeError
|
7
|
+
end
|
8
|
+
|
9
|
+
attr_accessor :access_key, :secret_key, :region
|
10
|
+
|
11
|
+
def provision!
|
12
|
+
provision_config_and_creds!
|
13
|
+
provision_roles!
|
14
|
+
end
|
15
|
+
|
16
|
+
def provision_config_and_creds!
|
17
|
+
return unless @aws_update_creds
|
18
|
+
mounts_by_type('aws').each do |mp|
|
19
|
+
mp_prefix = mp.to_s == 'aws' ? '' : "#{mp}_"
|
20
|
+
|
21
|
+
@access_key = ENV["#{mp_prefix}AWS_ACCESS_KEY_ID"]
|
22
|
+
@secret_key = ENV["#{mp_prefix}AWS_SECRET_ACCESS_KEY"]
|
23
|
+
@region = ENV["#{mp_prefix}AWS_REGION"] || AWS_REGION_DEFAULT
|
24
|
+
|
25
|
+
if @access_key.nil? || @secret_key.nil?
|
26
|
+
raise NoCredsError,
|
27
|
+
"set environment variables #{mp_prefix}AWS_ACCESS_KEY_ID) and #{mp_prefix}AWS_SECRET_ACCESS_KEY"
|
28
|
+
end
|
29
|
+
|
30
|
+
aws_config = JSON.dump(access_key: @access_key,
|
31
|
+
secret_key: @secret_key,
|
32
|
+
region: @region)
|
33
|
+
|
34
|
+
puts " * AWS secret mount point #{mp} config (INCLUDING SECRET)"
|
35
|
+
@vault.post "v1/#{mp}/config/root", aws_config
|
36
|
+
|
37
|
+
lease_config = "#{@instance_dir}/#{mp}/config/lease.json"
|
38
|
+
next unless FileTest.readable? lease_config
|
39
|
+
|
40
|
+
validate_file! lease_config
|
41
|
+
puts " * #{mp}/config/lease"
|
42
|
+
@vault.post "v1/#{mp}/config/lease", File.read(lease_config)
|
43
|
+
end
|
44
|
+
end
|
45
|
+
|
46
|
+
def normalize_role role_file_path
|
47
|
+
role_json = File.read(role_file_path)
|
48
|
+
role = JSON.parse(role_json)
|
49
|
+
|
50
|
+
if role['arn'] || role['policy']
|
51
|
+
role_json
|
52
|
+
elsif role['Version'] && role['Statement']
|
53
|
+
JSON.dump(policy: role_json)
|
54
|
+
end
|
55
|
+
end
|
56
|
+
|
57
|
+
def provision_roles!
|
58
|
+
mounts_by_type('aws').each do |mp|
|
59
|
+
next unless Dir.exist? "#{@instance_dir}/#{mp}"
|
60
|
+
puts " * AWS secret mount point #{mp} roles"
|
61
|
+
|
62
|
+
Find.find("#{@instance_dir}/#{mp}/roles").each do |rf|
|
63
|
+
next unless rf.end_with? '.json'
|
64
|
+
validate_file! rf
|
65
|
+
role_definition = normalize_role rf
|
66
|
+
next if role_definition.nil?
|
67
|
+
role_path = rf.sub(%r{\A#{@instance_dir}\/}, '').sub(/.json\z/, '')
|
68
|
+
|
69
|
+
puts " * #{role_path}"
|
70
|
+
@vault.post "v1/#{role_path}", role_definition
|
71
|
+
end
|
72
|
+
end
|
73
|
+
end
|
74
|
+
end
|
@@ -9,6 +9,7 @@ class Vault::Provision::Prototype
|
|
9
9
|
@instance_dir = boss.instance_dir
|
10
10
|
@intermediate_issuer = boss.intermediate_issuer
|
11
11
|
@pki_allow_destructive = boss.pki_allow_destructive
|
12
|
+
@aws_update_creds = boss.aws_update_creds
|
12
13
|
end
|
13
14
|
|
14
15
|
def repo_prefix
|
@@ -24,12 +25,14 @@ class Vault::Provision::Prototype
|
|
24
25
|
Find.find(repo_path).select { |rf| rf.end_with?('.json') }
|
25
26
|
end
|
26
27
|
|
27
|
-
def
|
28
|
+
def mounts_by_type type
|
28
29
|
mounts = @vault.sys.mounts
|
29
|
-
|
30
|
+
mounts.keys.select { |mp| mounts[mp].type == type }
|
31
|
+
end
|
30
32
|
|
33
|
+
def repo_files_by_mount_type type
|
31
34
|
files = []
|
32
|
-
|
35
|
+
mounts_by_type(type).each do |mp|
|
33
36
|
next unless Dir.exist? "#{@instance_dir}/#{mp}"
|
34
37
|
Find.find("#{@instance_dir}/#{mp}").each do |rf|
|
35
38
|
next unless rf.end_with? '.json'
|
data/lib/vault/provision.rb
CHANGED
@@ -8,22 +8,26 @@ require 'vault/provision/auth'
|
|
8
8
|
require 'vault/provision/sys'
|
9
9
|
require 'vault/provision/pki'
|
10
10
|
require 'vault/provision/secret'
|
11
|
+
require 'vault/provision/aws'
|
11
12
|
|
12
13
|
# controller for the children
|
13
14
|
class Vault::Provision
|
14
15
|
SYSTEM_POLICIES = ['response-wrapping', 'root'].freeze
|
15
16
|
|
16
17
|
attr_accessor :vault, :instance_dir,
|
17
|
-
:intermediate_issuer, :pki_allow_destructive
|
18
|
+
:intermediate_issuer, :pki_allow_destructive,
|
19
|
+
:aws_update_creds
|
18
20
|
|
19
21
|
def initialize instance_dir,
|
20
22
|
address: ENV['VAULT_ADDR'],
|
21
23
|
token: ENV['VAULT_TOKEN'],
|
24
|
+
aws_update_creds: false,
|
22
25
|
intermediate_issuer: {},
|
23
26
|
pki_allow_destructive: false
|
24
27
|
|
25
28
|
@instance_dir = instance_dir
|
26
29
|
@vault = Vault::Client.new address: address, token: token
|
30
|
+
@aws_update_creds = aws_update_creds
|
27
31
|
@intermediate_issuer = intermediate_issuer
|
28
32
|
@pki_allow_destructive = pki_allow_destructive
|
29
33
|
@handlers = [
|
@@ -35,6 +39,7 @@ class Vault::Provision
|
|
35
39
|
Pki::Config::Urls,
|
36
40
|
Pki::Roles,
|
37
41
|
Secret,
|
42
|
+
Aws::SecretBackend,
|
38
43
|
Sys::Policy,
|
39
44
|
Auth::Ldap::Groups,
|
40
45
|
Auth::Approle
|
data/log/.keep
ADDED
File without changes
|
data/spec/spec_helper.rb
CHANGED
@@ -3,6 +3,8 @@ $: << "#{GEM_DIR}/lib"
|
|
3
3
|
|
4
4
|
require 'vault_provision'
|
5
5
|
require 'open3'
|
6
|
+
require 'aws-sdk'
|
7
|
+
require 'vcr'
|
6
8
|
|
7
9
|
DEV_VAULT_TOKEN = 'kittens'.freeze
|
8
10
|
DEV_VAULT_ADDR = 'http://127.0.0.1:8200'.freeze
|
@@ -17,6 +19,20 @@ Vault.configure do |config|
|
|
17
19
|
config.token = DEV_VAULT_TOKEN
|
18
20
|
end
|
19
21
|
|
22
|
+
VCR.configure do |config|
|
23
|
+
config.cassette_library_dir = "spec/vcr_cassettes"
|
24
|
+
config.debug_logger = File.open("log/vcr.log", 'w')
|
25
|
+
config.hook_into :webmock
|
26
|
+
config.allow_http_connections_when_no_cassette = true
|
27
|
+
|
28
|
+
config.filter_sensitive_data('<SOME_VAULT_TOKEN>') do |i|
|
29
|
+
i.request.headers['X-Vault-Token'].first unless i.request.headers['X-Vault-Token'].nil?
|
30
|
+
end
|
31
|
+
config.filter_sensitive_data('<SOME_AUTHZ_HEADER>') do |i|
|
32
|
+
i.request.headers['Authorization'].first unless i.request.headers['Authorization'].nil?
|
33
|
+
end
|
34
|
+
end
|
35
|
+
|
20
36
|
def vault_server
|
21
37
|
stdin, stdout, stderr, server = Open3.popen3('vault server -dev')
|
22
38
|
cleanup = lambda do |_|
|
@@ -40,9 +56,20 @@ RSpec.configure do |config|
|
|
40
56
|
config.raise_errors_for_deprecations!
|
41
57
|
end
|
42
58
|
|
59
|
+
Aws.config.update(
|
60
|
+
credentials: Aws::Credentials.new(ENV['AWS_ACCESS_KEY_ID'],
|
61
|
+
ENV['AWS_SECRET_ACCESS_KEY'])
|
62
|
+
)
|
63
|
+
|
64
|
+
def iam_client
|
65
|
+
@iam_client ||= Aws::IAM::Client.new
|
66
|
+
end
|
67
|
+
|
68
|
+
|
43
69
|
@server = vault_server
|
44
70
|
signatories = {'pki-intermediate': 'pki-root'}
|
45
71
|
|
46
72
|
Vault::Provision.new(EXAMPLE_DIR,
|
47
73
|
intermediate_issuer: signatories,
|
74
|
+
aws_update_creds: ! ENV['AWS_SECRET_ACCESS_KEY'].nil?,
|
48
75
|
pki_allow_destructive: true).provision!
|
@@ -111,4 +111,55 @@ describe Vault::Provision do
|
|
111
111
|
expect(yummy[:data]).to be
|
112
112
|
expect(yummy[:data][:bear]).to be == '🐻 rawr!'
|
113
113
|
end
|
114
|
+
|
115
|
+
it "has AWS roles" do
|
116
|
+
resp = client.get 'v1/aws/roles/iam-full-access'
|
117
|
+
expect(resp[:data]).to be
|
118
|
+
expect(resp[:data][:arn]).to be == 'arn:aws:iam::aws:policy/IAMFullAccess'
|
119
|
+
end
|
120
|
+
|
121
|
+
it "does not have nonexistant AWS roles" do
|
122
|
+
expect {
|
123
|
+
client.get('v1/aws/roles/your-mom')
|
124
|
+
}.to raise_error(Vault::HTTPClientError)
|
125
|
+
end
|
126
|
+
|
127
|
+
it "can create valid IAM credentials with AWS managed policies" do
|
128
|
+
unless ENV['AWS_ACCESS_KEY_ID'] && ENV['AWS_SECRET_ACCESS_KEY']
|
129
|
+
skip "To test - plz set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY"
|
130
|
+
end
|
131
|
+
|
132
|
+
VCR.use_cassette('aws-secret-iam-full', tag: :aws_secret) do
|
133
|
+
resp = client.get 'v1/aws/creds/iam-full-access'
|
134
|
+
expect(resp[:data]).to be
|
135
|
+
|
136
|
+
access_key = resp[:data][:access_key]
|
137
|
+
secret_key = resp[:data][:secret_key]
|
138
|
+
|
139
|
+
expect(access_key).to match(%r{\AAKIA})
|
140
|
+
expect(secret_key).to be
|
141
|
+
|
142
|
+
last_used = iam_client.get_access_key_last_used access_key_id: access_key
|
143
|
+
expect(last_used).to be
|
144
|
+
expect(last_used.user_name).to be
|
145
|
+
end
|
146
|
+
end
|
147
|
+
it "can create valid IAM credentials with custom policies" do
|
148
|
+
unless ENV['AWS_ACCESS_KEY_ID'] && ENV['AWS_SECRET_ACCESS_KEY']
|
149
|
+
skip "To test - plz set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY"
|
150
|
+
end
|
151
|
+
|
152
|
+
VCR.use_cassette('aws-secret-custom', tag: :aws_secret) do
|
153
|
+
resp = client.get 'v1/aws/creds/s3-bucket-custom'
|
154
|
+
expect(resp[:data]).to be
|
155
|
+
|
156
|
+
access_key = resp[:data][:access_key]
|
157
|
+
secret_key = resp[:data][:secret_key]
|
158
|
+
expect(access_key).to match(%r{\AAKIA})
|
159
|
+
expect(secret_key).to be
|
160
|
+
last_used = iam_client.get_access_key_last_used access_key_id: access_key
|
161
|
+
expect(last_used).to be
|
162
|
+
expect(last_used.user_name).to be
|
163
|
+
end
|
164
|
+
end
|
114
165
|
end
|
@@ -0,0 +1,101 @@
|
|
1
|
+
---
|
2
|
+
http_interactions:
|
3
|
+
- request:
|
4
|
+
method: get
|
5
|
+
uri: http://127.0.0.1:8200/v1/aws/creds/s3-bucket-custom
|
6
|
+
body:
|
7
|
+
encoding: US-ASCII
|
8
|
+
string: ''
|
9
|
+
headers:
|
10
|
+
Accept-Encoding:
|
11
|
+
- gzip;q=1.0,deflate;q=0.6,identity;q=0.3
|
12
|
+
Accept:
|
13
|
+
- "*/*"
|
14
|
+
- application/json
|
15
|
+
User-Agent:
|
16
|
+
- Ruby
|
17
|
+
- VaultRuby/0.10.1 (+github.com/hashicorp/vault-ruby)
|
18
|
+
Content-Type:
|
19
|
+
- application/json
|
20
|
+
X-Vault-Token:
|
21
|
+
- "<SOME_VAULT_TOKEN>"
|
22
|
+
Connection:
|
23
|
+
- keep-alive
|
24
|
+
Keep-Alive:
|
25
|
+
- 30
|
26
|
+
response:
|
27
|
+
status:
|
28
|
+
code: 200
|
29
|
+
message: OK
|
30
|
+
headers:
|
31
|
+
Cache-Control:
|
32
|
+
- no-store
|
33
|
+
Content-Type:
|
34
|
+
- application/json
|
35
|
+
Date:
|
36
|
+
- Tue, 27 Jun 2017 04:20:00 GMT
|
37
|
+
Content-Length:
|
38
|
+
- '341'
|
39
|
+
body:
|
40
|
+
encoding: UTF-8
|
41
|
+
string: '{"request_id":"4528ce31-0035-c0d4-cdf7-88b6609f4d39","lease_id":"aws/creds/s3-bucket-custom/8a4b6841-9d84-5d22-1c34-833db38505bc","renewable":true,"lease_duration":1382400,"data":{"access_key":"AKIAJFFYUHMANU2HTQMA","secret_key":"👻","security_token":null},"wrap_info":null,"warnings":null,"auth":null}
|
42
|
+
|
43
|
+
'
|
44
|
+
http_version:
|
45
|
+
recorded_at: Tue, 27 Jun 2017 04:20:00 GMT
|
46
|
+
- request:
|
47
|
+
method: post
|
48
|
+
uri: https://iam.amazonaws.com/
|
49
|
+
body:
|
50
|
+
encoding: UTF-8
|
51
|
+
string: AccessKeyId=AKIAJFFYUHMANU2HTQMA&Action=GetAccessKeyLastUsed&Version=2010-05-08
|
52
|
+
headers:
|
53
|
+
Content-Type:
|
54
|
+
- application/x-www-form-urlencoded; charset=utf-8
|
55
|
+
Accept-Encoding:
|
56
|
+
- ''
|
57
|
+
User-Agent:
|
58
|
+
- aws-sdk-ruby2/2.10.3 ruby/2.4.1 x86_64-darwin16
|
59
|
+
X-Amz-Date:
|
60
|
+
- 20170627T042000Z
|
61
|
+
Host:
|
62
|
+
- iam.amazonaws.com
|
63
|
+
X-Amz-Content-Sha256:
|
64
|
+
- cfefefd3f69aeb1bd3e0b4e716a1d631045bb8927d42e70c3a66e839d36405b0
|
65
|
+
Authorization:
|
66
|
+
- "<SOME_AUTHZ_HEADER>"
|
67
|
+
Content-Length:
|
68
|
+
- '79'
|
69
|
+
Accept:
|
70
|
+
- "*/*"
|
71
|
+
response:
|
72
|
+
status:
|
73
|
+
code: 200
|
74
|
+
message: OK
|
75
|
+
headers:
|
76
|
+
X-Amzn-Requestid:
|
77
|
+
- e30c57e7-5aef-11e7-8709-2f131dd3413d
|
78
|
+
Content-Type:
|
79
|
+
- text/xml
|
80
|
+
Content-Length:
|
81
|
+
- '466'
|
82
|
+
Date:
|
83
|
+
- Tue, 27 Jun 2017 04:20:00 GMT
|
84
|
+
body:
|
85
|
+
encoding: UTF-8
|
86
|
+
string: |
|
87
|
+
<GetAccessKeyLastUsedResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
|
88
|
+
<GetAccessKeyLastUsedResult>
|
89
|
+
<AccessKeyLastUsed>
|
90
|
+
<Region>N/A</Region>
|
91
|
+
<ServiceName>N/A</ServiceName>
|
92
|
+
</AccessKeyLastUsed>
|
93
|
+
<UserName>vault-token-s3-bucket-custom-1498537197-4154</UserName>
|
94
|
+
</GetAccessKeyLastUsedResult>
|
95
|
+
<ResponseMetadata>
|
96
|
+
<RequestId>e30c57e7-5aef-11e7-8709-2f131dd3413d</RequestId>
|
97
|
+
</ResponseMetadata>
|
98
|
+
</GetAccessKeyLastUsedResponse>
|
99
|
+
http_version:
|
100
|
+
recorded_at: Tue, 27 Jun 2017 04:20:01 GMT
|
101
|
+
recorded_with: VCR 3.0.3
|
@@ -0,0 +1,101 @@
|
|
1
|
+
---
|
2
|
+
http_interactions:
|
3
|
+
- request:
|
4
|
+
method: get
|
5
|
+
uri: http://127.0.0.1:8200/v1/aws/creds/iam-full-access
|
6
|
+
body:
|
7
|
+
encoding: US-ASCII
|
8
|
+
string: ''
|
9
|
+
headers:
|
10
|
+
Accept-Encoding:
|
11
|
+
- gzip;q=1.0,deflate;q=0.6,identity;q=0.3
|
12
|
+
Accept:
|
13
|
+
- "*/*"
|
14
|
+
- application/json
|
15
|
+
User-Agent:
|
16
|
+
- Ruby
|
17
|
+
- VaultRuby/0.10.1 (+github.com/hashicorp/vault-ruby)
|
18
|
+
Content-Type:
|
19
|
+
- application/json
|
20
|
+
X-Vault-Token:
|
21
|
+
- "<SOME_VAULT_TOKEN>"
|
22
|
+
Connection:
|
23
|
+
- keep-alive
|
24
|
+
Keep-Alive:
|
25
|
+
- 30
|
26
|
+
response:
|
27
|
+
status:
|
28
|
+
code: 200
|
29
|
+
message: OK
|
30
|
+
headers:
|
31
|
+
Cache-Control:
|
32
|
+
- no-store
|
33
|
+
Content-Type:
|
34
|
+
- application/json
|
35
|
+
Date:
|
36
|
+
- Tue, 27 Jun 2017 04:19:57 GMT
|
37
|
+
Content-Length:
|
38
|
+
- '340'
|
39
|
+
body:
|
40
|
+
encoding: UTF-8
|
41
|
+
string: '{"request_id":"bdd1533a-8fd5-53a5-3184-3f626e0db82d","lease_id":"aws/creds/iam-full-access/7223902d-b542-0424-1f24-ff035265b280","renewable":true,"lease_duration":1382400,"data":{"access_key":"AKIAJFIVGUHU7PZKXV5A","secret_key":"👻","security_token":null},"wrap_info":null,"warnings":null,"auth":null}
|
42
|
+
|
43
|
+
'
|
44
|
+
http_version:
|
45
|
+
recorded_at: Tue, 27 Jun 2017 04:19:57 GMT
|
46
|
+
- request:
|
47
|
+
method: post
|
48
|
+
uri: https://iam.amazonaws.com/
|
49
|
+
body:
|
50
|
+
encoding: UTF-8
|
51
|
+
string: AccessKeyId=AKIAJFIVGUHU7PZKXV5A&Action=GetAccessKeyLastUsed&Version=2010-05-08
|
52
|
+
headers:
|
53
|
+
Content-Type:
|
54
|
+
- application/x-www-form-urlencoded; charset=utf-8
|
55
|
+
Accept-Encoding:
|
56
|
+
- ''
|
57
|
+
User-Agent:
|
58
|
+
- aws-sdk-ruby2/2.10.3 ruby/2.4.1 x86_64-darwin16
|
59
|
+
X-Amz-Date:
|
60
|
+
- 20170627T041957Z
|
61
|
+
Host:
|
62
|
+
- iam.amazonaws.com
|
63
|
+
X-Amz-Content-Sha256:
|
64
|
+
- 165aba1489a27095f4e83bb72c0e1a79d6e9f969c59a5199ddab5ace04c36c77
|
65
|
+
Authorization:
|
66
|
+
- "<SOME_AUTHZ_HEADER>"
|
67
|
+
Content-Length:
|
68
|
+
- '79'
|
69
|
+
Accept:
|
70
|
+
- "*/*"
|
71
|
+
response:
|
72
|
+
status:
|
73
|
+
code: 200
|
74
|
+
message: OK
|
75
|
+
headers:
|
76
|
+
X-Amzn-Requestid:
|
77
|
+
- e122b092-5aef-11e7-9679-d5c1bf3ed860
|
78
|
+
Content-Type:
|
79
|
+
- text/xml
|
80
|
+
Content-Length:
|
81
|
+
- '464'
|
82
|
+
Date:
|
83
|
+
- Tue, 27 Jun 2017 04:19:57 GMT
|
84
|
+
body:
|
85
|
+
encoding: UTF-8
|
86
|
+
string: |
|
87
|
+
<GetAccessKeyLastUsedResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
|
88
|
+
<GetAccessKeyLastUsedResult>
|
89
|
+
<AccessKeyLastUsed>
|
90
|
+
<Region>N/A</Region>
|
91
|
+
<ServiceName>N/A</ServiceName>
|
92
|
+
</AccessKeyLastUsed>
|
93
|
+
<UserName>vault-token-iam-full-access-1498537194-774</UserName>
|
94
|
+
</GetAccessKeyLastUsedResult>
|
95
|
+
<ResponseMetadata>
|
96
|
+
<RequestId>e122b092-5aef-11e7-9679-d5c1bf3ed860</RequestId>
|
97
|
+
</ResponseMetadata>
|
98
|
+
</GetAccessKeyLastUsedResponse>
|
99
|
+
http_version:
|
100
|
+
recorded_at: Tue, 27 Jun 2017 04:19:57 GMT
|
101
|
+
recorded_with: VCR 3.0.3
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: vault-provision
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.1.
|
4
|
+
version: 0.1.9
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Tom Maher
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-06-
|
11
|
+
date: 2017-06-27 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|
@@ -99,6 +99,7 @@ files:
|
|
99
99
|
- README.md
|
100
100
|
- Rakefile
|
101
101
|
- VERSION
|
102
|
+
- bin/vault-provision
|
102
103
|
- examples/basic/auth/.keep
|
103
104
|
- examples/basic/auth/approle/role/backends.json
|
104
105
|
- examples/basic/auth/approle/role/frontends.json
|
@@ -110,6 +111,8 @@ files:
|
|
110
111
|
- examples/basic/auth/ldap/groups/admin.json
|
111
112
|
- examples/basic/auth/ldap/groups/operators.json
|
112
113
|
- examples/basic/auth/token/.keep
|
114
|
+
- examples/basic/aws/roles/iam-full-access.json
|
115
|
+
- examples/basic/aws/roles/s3-bucket-custom.json
|
113
116
|
- examples/basic/pki-intermediate/config/.keep
|
114
117
|
- examples/basic/pki-intermediate/config/crl.json
|
115
118
|
- examples/basic/pki-intermediate/config/urls.json
|
@@ -133,6 +136,7 @@ files:
|
|
133
136
|
- examples/basic/sys/auth/ldap.json
|
134
137
|
- examples/basic/sys/auth/token.json
|
135
138
|
- examples/basic/sys/mounts/.keep
|
139
|
+
- examples/basic/sys/mounts/aws.json
|
136
140
|
- examples/basic/sys/mounts/cubbyhole.json
|
137
141
|
- examples/basic/sys/mounts/pki-intermediate.json
|
138
142
|
- examples/basic/sys/mounts/pki-intermediate/tune.json
|
@@ -154,6 +158,8 @@ files:
|
|
154
158
|
- lib/vault/provision/auth/ldap.rb
|
155
159
|
- lib/vault/provision/auth/ldap/config.rb
|
156
160
|
- lib/vault/provision/auth/ldap/groups.rb
|
161
|
+
- lib/vault/provision/aws.rb
|
162
|
+
- lib/vault/provision/aws/secret-backend.rb
|
157
163
|
- lib/vault/provision/generic.rb
|
158
164
|
- lib/vault/provision/pki.rb
|
159
165
|
- lib/vault/provision/pki/config.rb
|
@@ -174,8 +180,11 @@ files:
|
|
174
180
|
- lib/vault/provision/sys/auth.rb
|
175
181
|
- lib/vault/provision/sys/policy.rb
|
176
182
|
- lib/vault_provision.rb
|
183
|
+
- log/.keep
|
177
184
|
- spec/spec_helper.rb
|
178
185
|
- spec/vault_provision_spec.rb
|
186
|
+
- spec/vcr_cassettes/aws-secret-custom.yml
|
187
|
+
- spec/vcr_cassettes/aws-secret-iam-full.yml
|
179
188
|
- vault-provision.gemspec
|
180
189
|
homepage: https://github.com/tmaher/vault-provision
|
181
190
|
licenses:
|