jetstack / vault-unsealer

Vault Unseal automation
Apache License 2.0
129 stars 28 forks source link

Document how to get the root key after init #29

Open trondhindenes opened 5 years ago

trondhindenes commented 5 years ago

It would be good to have a few lines in the documentation about how to retrieve the root key after init, to make it possible to login to vault.

innovia commented 5 years ago

if you use AWS KMS you can do it with this script:

export AWS_DEFAULT_REGION=us-west-2
export AWS_PROFILE=dev

echo "Fetching Vault unseal keys and root token from AWS..."

aws ssm get-parameters --names kubernetes-vault-root | jq -r '.Parameters[].Value'  | base64 -D> /tmp/root-token

ROOT_TOKEN=$(aws kms decrypt --region $REGION --ciphertext-blob fileb:///tmp/root-token --encryption-context Tool=vault-unsealer | jq -r '.Plaintext' | base64 -D)

for i in {0..4}; do
aws ssm get-parameters --names kubernetes-vault-unseal-${i}  | jq -r '.Parameters[].Value'  | base64 -D > /tmp/unseal-${i}

echo -n "Unseal Key $((i+1)): $(aws kms decrypt --ciphertext-blob fileb:///tmp/unseal-${i} --encryption-context Tool=vault-unsealer | jq -r '.Plaintext' | base64 -D)
"
done

echo "Initial Root token: $ROOT_TOKEN"
rm /tmp/unseal*
rm /tmp/root-token
echo "Done!"
innovia commented 5 years ago

31

trondhindenes commented 5 years ago

THanks for typing that out! Yes, my question was related to AWS KMS, sorry for not clarifying