Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- set -aex
- # 2 items in this script are redacted
- # Enable Okta backend
- vault auth-enable okta
- # Get the mount accessor of okta
- oktaMountAccessor=$(vault auth list -detailed -format json | jq -r '.["okta/"].accessor')
- # Configure okta mount with policies and users
- vault write auth/okta/config org_name=dev-511503-admin api_token=<redacted> base_url=oktapreview.com
- vault write auth/okta/groups/testgroup policies=okta-group-policy
- vault write auth/okta/users/vishalnayakv@gmail.com groups=testgroup policies=okta-user-policy
- # Create an external group in root namespace
- extGroupID=$(vault write -format json identity/group type=external policies=ext-okta-group-policy | jq -r '.data.id')
- # Attach a group alias to the external group that points to 'testgroup' in okta
- vault write identity/group-alias mount_accessor=$oktaMountAccessor canonical_id=$extGroupID name=testgroup
- # Create a namespace
- vault namespace create testns
- # Create a resource in the namespace
- vault secrets enable -namespace testns -version=2 kv
- # Write a secret in it
- vault kv put -ns testns kv/foo bar=baz
- # Create a policy in testns that grants read access to this secret
- vault policy write -ns testns testns-policy - <<EOF
- path "kv/data/foo" {
- capabilities = ["read"]
- }
- EOF
- # Create an internal group in testns; add the external group from root
- # namespace as its member; grant access to the namespace local resouce.
- nsIntGroupID=$(vault write -ns testns identity/group member_group_ids=$extGroupID policies=testns-policy)
- # Login and create a token
- token=$(vault auth -format json -method=okta username=vishalnayakv@gmail.com password=<redacted> | jq -r '.auth.client_token')
- VAULT_TOKEN=$token vault token lookup
- # Access the namespace resource using the token from the root namespace
- VAULT_TOKEN=$token vault kv get -ns testns kv/foo
Add Comment
Please, Sign In to add comment