This would help support the distribution of credentials for bootstrapping clients by storing their credentials in a single and safe location. These are the current steps required in order to access the AppRole credentials I am looking to have implemented.
ROLE_ID=curl -H "X-Vault-Token:XXX" --request GET \ http://vault:8200/v1/auth/approle/role/foo/role-id | jq .data.role_id
SECRET_ID=curl -H "X-Vault-Token:XXX" --request POST \ http://vault:8200/v1/auth/approle/role/foo/secret-id | jq .data.secret_id
echo "Store the role id and secret id"
curl -H "X-Vault-Token:XXX" --request POST \
--data '{"data": {"role_id": '"${ROLE_ID}"', "secret_id": '"${SECRET_ID}"'} }' \
http://vault:8200/v1/secret/data/dev
It would be great if you could add support for wrapping and unwrapping of tokens as described in:
https://learn.hashicorp.com/vault/secrets-management/sm-cubbyhole
This would help support the distribution of credentials for bootstrapping clients by storing their credentials in a single and safe location. These are the current steps required in order to access the AppRole credentials I am looking to have implemented.
` curl -H "X-Vault-Token:XXX" --request POST \ --data '{"policy":"path \"secret/data/dev\" {capabilities = [\"read\"]} "}' \ http://vault:8200/v1/sys/policy/producer-policy
ROLE_ID=
curl -H "X-Vault-Token:XXX" --request GET \ http://vault:8200/v1/auth/approle/role/foo/role-id | jq .data.role_id
SECRET_ID=
curl -H "X-Vault-Token:XXX" --request POST \ http://vault:8200/v1/auth/approle/role/foo/secret-id | jq .data.secret_id
echo "Store the role id and secret id" curl -H "X-Vault-Token:XXX" --request POST \ --data '{"data": {"role_id": '"${ROLE_ID}"', "secret_id": '"${SECRET_ID}"'} }' \ http://vault:8200/v1/secret/data/dev
Wrap it
WRAP_TOKEN=
curl --header "X-Vault-Wrap-TTL: 28800" \ -H "X-Vault-Token:XXX" --request POST \ --data '{"policies":["message-producer"]}' \ http://vault:8200/v1/auth/token/create | jq .wrap_info.token | tr -d '"'
Get a new token
curl -H "X-Vault-Token:XXX" --request POST \ --data '{"policies": "default"}' \ http://vault:8200/v1/auth/token/create
use wrap token to unwrap the request
CLIENT_TOKEN=
curl --header 'X-Vault-Token:'"$WRAP_TOKEN"'' --request POST \ http://vault:8200/v1/sys/wrapping/unwrap | jq .auth.client_token
Use the new client token to access the secrets that were wrapped
curl --header 'X-Vault-Token:'"$CLIENT_TOKEN"'' \ http://vault:8200/v1/secret/data/dev `