Bridgeman-Accessible/custom-hashicorp-vault
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Initial code commit

Browse source
This commit is contained in:
Alan Bridgeman 2025-05-07 06:30:09 -05:00
parent cf72c0fd43
commit 75d003a3be
12 changed files with 1203 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

211
setup-scripts/app-role-access.py Normal file
View file

@ -0,0 +1,211 @@
#!/usr/bin/env python3
# |*******************************************************************|
# | Setup script |
# | |
# | Author: Alan Bridgeman |
# | Created: 2024-03-30 |
# | |
# | COPYRIGHT © 2024 Bridgeman Accessible/Alan Bridgeman. |
# | |
# | This work is presented AS IS, with no warranty of any kind. |
# | Any modification or use of this script is at the user's own risk. |
# |*******************************************************************|
import os, sys, subprocess, logging
from CommandRunner import CommandRunner
#def run_command(command):
# try:
# result = subprocess.run(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True, check=True)
# return result.stdout.decode('utf-8').strip()
# except subprocess.CalledProcessError as e:
# # Log the error and re-raise or handle as appropriate
# raise RuntimeError(f"Command '{' '.join(command)}' failed with error: {e.stderr}") from e
def create_policy(policy_name: str, policy_capabilities: list[str], policy_path: str = 'secret/*'):
"""Create a policy in vault
Args:
policy_name (str): The name of the policy to create
policy_capabilities (list[str]): The capabilities of the policy (ex. read, write, etc...)
policy_path (str, optional): The path the policy should apply to. Defaults to all secrets (`secret/*`).
"""
policy_caps = '["' + '","'.join(policy_capabilities) + '"]'
policy_content = 'path "' + policy_path + '" {\n capabilities = ' + policy_caps + '\n}'
policy = '<<EOF\n' + policy_content + '\nEOF'
policy_return_code, policy_output, policy_err = CommandRunner.run_command('vault policy write ' + policy_name + ' - ' + policy, False)
if policy_return_code == 2:
logging.error('Failed to create the policy')
logging.error('Policy Output: ' + policy_output)
logging.error('Policy Error: ' + policy_err)
raise RuntimeError('Failed to create the policy')
def get_role_id(role_name: str) -> str:
"""Get the `role_id` for a given role
Args:
role_name (str): The name of the role to get the `role_id` for
Returns:
str: The `role_id` for the given role
"""
# Get the role_id from vault
role_read_path = '/'.join(['auth', 'approle', 'role', role_name, 'role-id'])
role_return_code, role_id, role_err = CommandRunner.run_command('vault read ' + role_read_path + ' | grep role_id | awk \'{print $2}\'')
logging.debug('Role ID: ' + role_id)
return role_id
def get_secret_id(role_name: str) -> str:
"""Get a/the `secret_id` for a given role
Args:
role_name (str): The name of the role to get the `secret_id` for
Returns:
str: The `secret_id` for the given role
"""
# Get the secret_id from vault
secret_write_path = '/'.join(['auth', 'approle', 'role', role_name, 'secret-id'])
secret_return_code, secret_id, secret_err = CommandRunner.run_command('vault write -f ' + secret_write_path + ' | grep "secret_id " | awk \'{print $2}\'')
logging.debug('Secret ID: ' + secret_id)
return secret_id
def create_app_role(role_name: str, policy_name: str) -> tuple[str, str]:
"""Create an approle role and return the role_id and secret_id
Args:
role_name (str): The name of the role to create
policy_name (str): The name of the policy to associate with the role
Returns:
tuple[str, str]: The `role_id` and `secret_id` of the newly created role
"""
# Create a role
role_write_path = '/'.join(['auth', 'approle', 'role', role_name])
role_write_return_code, role_write_output, role_write_err = CommandRunner.run_command('vault write ' + role_write_path + ' token_policies="' + policy_name + '"')
logging.debug(role_write_output)
# Get the role_id
role_id = get_role_id(role_name)
# Get the secret_id
secret_id = get_secret_id(role_name)
return role_id, secret_id
def save_role_vars_to_backup_file(role_name: str, role_id: str, secret_id: str):
"""Save the role_id and secret_id to a backup file (in the `/vault/creds` directory which is mounted to the host)
This is used as a sort of backup in rare case where the `/role_vars/.env` doesn't persist across restarts/instances.
Args:
role_name (str): The name of the role (used as the filename inside of the `/vault/creds` directory)
role_id (str): The `role_id` to save
secret_id (str): The `secret_id` to save
"""
file_name = f'/vault/creds/{role_name}'
logging.debug('File Name: ' + file_name)
# Create the file if it doesn't exist
if not os.path.isfile(file_name):
CommandRunner.run_command('touch "' + file_name + '"')
# Write the role_id and secret_id to the file
with open(file_name, 'w+') as f:
f.write('='.join([os.environ['ROLE_ID_SECRET_NAME'], role_id]) + '\n')
f.write('='.join([os.environ['SECRET_ID_SECRET_NAME'], secret_id]))
def save_role_vars_to_file(role_id: str, secret_id: str):
"""Save the role_id and secret_id to a file (`/role_vars/.env`)
This file can then be loaded/mounted/etc... into other containers or by other scripts to load the values so that the app can load it
Args:
role_id (str): The `role_id` to save
secret_id (str): The `secret_id` to save
"""
# Create the directory if it doesn't exist
if not os.path.isdir('/role_vars'):
os.mkdir('/role_vars')
file_name = '/role_vars/.env'
logging.debug('File Name: ' + file_name)
# Create the file if it doesn't exist
if not os.path.isfile(file_name):
CommandRunner.run_command('touch "' + file_name + '"')
# Write the role_id and secret_id to the file
with open(file_name, 'w+') as f:
f.write('='.join([os.environ['ROLE_ID_SECRET_NAME'], role_id]) + '\n')
f.write('='.join([os.environ['SECRET_ID_SECRET_NAME'], secret_id]))
def main(token: str):
#logging.basicConfig(
# filename='/var/log/entrypoint.log',
# level=logging.DEBUG,
# format='%(asctime)s - %(levelname)s - %(message)s'
#)
# Login to vault
CommandRunner.run_command(f'vault login {token}')
# Enable approle auth method
CommandRunner.run_command('vault auth enable approle')
# -- Create a policy for the app --
# The policy name can be set via the `POLICY_NAME` environment variable
# Or defaults to `node-app-policy` if not set
if 'POLICY_NAME' in os.environ:
policy_name = os.environ['POLICY_NAME']
else:
policy_name = 'node-app-policy'
logging.debug(f'Policy Name: {policy_name}')
# The policy capabilities can be set via the `POLICY_CAPABILITIES` environment variable
# Or defaults to `['read', 'create', 'update']` if not set
if 'POLICY_CAPABILITIES' in os.environ:
policy_capabilities = [cap.strip() for cap in os.environ['POLICY_CAPABILITIES'].split(',')]
else:
policy_capabilities = ['read', 'create', 'update']
logging.debug(f'Policy Capabilities: {', '.join(policy_capabilities)}')
create_policy(policy_name, policy_capabilities)
# -- create an approle role --
# Create a role
if 'ROLE_NAME' in os.environ:
role_name = os.environ['ROLE_NAME']
else:
role_name = 'node-app'
role_id, secret_id = create_app_role(role_name, policy_name)
# Save the role_id and secret_id to a backup file
save_role_vars_to_backup_file(role_name, role_id, secret_id)
# Save the role_id and secret_id to a file
save_role_vars_to_file(role_id, secret_id)
if __name__ == '__main__':
token = sys.argv[1]
main(token)