diff --git a/.gitignore b/.gitignore index 51573bb983b305894841efeebe17ec6ec6cee9d9..495a93b7feb55e3e9f38ffb64b99f5a29e0cf1cd 100644 --- a/.gitignore +++ b/.gitignore @@ -24,4 +24,5 @@ _testmain.go *.test *.prof +.env vaultenv \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000000000000000000000000000000000000..431a2675b54a3b2ddd47ec998010ae958b74cd2a --- /dev/null +++ b/README.md @@ -0,0 +1,38 @@ +# Vault Environment Tool + +The following example sets up a policy with read-only access to secrets, and an 'lts' role that has a token ttl of 10 years. + + +``` +> vault policy-write secret-ro acl.hcl +> vault write /auth/token/roles/lts allowed_policies="secret-ro" period="87600h" +> vault token-create -role lts + +Key Value +--- ----- +token 15958ab2-0e1a-3264-ff47-6963ed45aa68 +token_accessor 815f1db5-2fd0-2471-e233-faf6fc9718c9 +token_duration 87600h0m0s +token_renewable true +token_policies [default secret-ro] + +> export VAULT_TOKEN=15958ab2-0e1a-3264-ff47-6963ed45aa68 +> vault read auth/token/lookup-self + +Key Value +--- ----- +accessor 815f1db5-2fd0-2471-e233-faf6fc9718c9 +creation_time 1478099538 +creation_ttl 315360000 +display_name token +explicit_max_ttl 0 +id 15958ab2-0e1a-3264-ff47-6963ed45aa68 +meta <nil> +num_uses 0 +orphan false +path auth/token/create/lts +policies [default secret-ro] +renewable true +role lts +ttl 315359676 +``` diff --git a/acl.hcl b/acl.hcl new file mode 100644 index 0000000000000000000000000000000000000000..03dcb466bdcc0d9efce82ff3603d16c758ddfb02 --- /dev/null +++ b/acl.hcl @@ -0,0 +1,3 @@ +path "secret/*" { + policy = "read" +} diff --git a/cmd/read.go b/cmd/read.go index fd179953b01f35a7918857a1bc5bb13a339fb166..33cc960e6377c6c1a0cd500b5a6f8cc1d198bcf6 100644 --- a/cmd/read.go +++ b/cmd/read.go @@ -4,10 +4,13 @@ import ( "encoding/json" "errors" "fmt" - "strings" "gitlab.hedenstroem.com/go/vaultenv/vault" + "strconv" + + "strings" + "github.com/spf13/cobra" "github.com/spf13/viper" ) @@ -24,7 +27,10 @@ var readCmd = &cobra.Command{ if data != nil { if viper.GetBool("shell") { for k, v := range data { - fmt.Printf("%s=%s; export %s;\n", strings.ToUpper(k), v, strings.ToUpper(k)) + qv := strconv.QuoteToASCII(v.(string)) + qv = strings.Replace(qv, "'", "\\x27", -1) + qv = qv[1 : len(qv)-1] + fmt.Printf("%s=$'%s'; export %s;\n", k, qv, k) } } else { b, _ := json.MarshalIndent(data, "", "\t") diff --git a/cmd/write.go b/cmd/write.go index 74e4bc7569dd9a3a6fc74252269ebef72c358ab2..4c5fae49a4968a415ae9697a0b5cf8c982a77e9d 100644 --- a/cmd/write.go +++ b/cmd/write.go @@ -2,6 +2,8 @@ package cmd import ( "errors" + "io/ioutil" + "os" "github.com/spf13/cobra" "gitlab.hedenstroem.com/go/vaultenv/vault" @@ -12,12 +14,21 @@ var writeCmd = &cobra.Command{ Short: "write Short", Long: `write Long`, RunE: func(cmd *cobra.Command, args []string) (err error) { - if len(args) != 3 { - return errors.New("Expected 3 arguments") + if len(args) < 2 { + return errors.New("Expected at least 2 arguments") } data, err := vault.GetSecret(args[0]) if data != nil { - data[args[1]] = args[2] + if len(args) == 2 { + var b []byte + b, err = ioutil.ReadAll(os.Stdin) + if err != nil { + return + } + data[args[1]] = string(b) + } else { + data[args[1]] = args[2] + } err = vault.PostSecret(args[0], data) } return