forked from Dmitry1987/vault-chrome-extension
-
Notifications
You must be signed in to change notification settings - Fork 38
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add script to start a dev Vault instance
This should help set up a new env for me and others and maybe even help people understand how this is setup
- Loading branch information
Showing
2 changed files
with
153 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,117 @@ | ||
| # Allow tokens to look up their own properties | ||
| path "auth/token/lookup-self" { | ||
| capabilities = ["read"] | ||
| } | ||
|
|
||
| # Allow tokens to renew themselves | ||
| path "auth/token/renew-self" { | ||
| capabilities = ["update"] | ||
| } | ||
|
|
||
| # Allow tokens to revoke themselves | ||
| path "auth/token/revoke-self" { | ||
| capabilities = ["update"] | ||
| } | ||
|
|
||
| # Allow a token to look up its own capabilities on a path | ||
| path "sys/capabilities-self" { | ||
| capabilities = ["update"] | ||
| } | ||
|
|
||
| # Allow a token to look up its own entity by id or name | ||
| path "identity/entity/id/{{identity.entity.id}}" { | ||
| capabilities = ["read"] | ||
| } | ||
| path "identity/entity/name/{{identity.entity.name}}" { | ||
| capabilities = ["read"] | ||
| } | ||
|
|
||
|
|
||
| # Allow a token to look up its resultant ACL from all policies. This is useful | ||
| # for UIs. It is an internal path because the format may change at any time | ||
| # based on how the internal ACL features and capabilities change. | ||
| path "sys/internal/ui/resultant-acl" { | ||
| capabilities = ["read"] | ||
| } | ||
|
|
||
| # Allow a token to renew a lease via lease_id in the request body; old path for | ||
| # old clients, new path for newer | ||
| path "sys/renew" { | ||
| capabilities = ["update"] | ||
| } | ||
| path "sys/leases/renew" { | ||
| capabilities = ["update"] | ||
| } | ||
|
|
||
| # Allow looking up lease properties. This requires knowing the lease ID ahead | ||
| # of time and does not divulge any sensitive information. | ||
| path "sys/leases/lookup" { | ||
| capabilities = ["update"] | ||
| } | ||
|
|
||
| # Allow a token to manage its own cubbyhole | ||
| path "cubbyhole/*" { | ||
| capabilities = ["create", "read", "update", "delete", "list"] | ||
| } | ||
|
|
||
| # Allow a token to wrap arbitrary values in a response-wrapping token | ||
| path "sys/wrapping/wrap" { | ||
| capabilities = ["update"] | ||
| } | ||
|
|
||
| # Allow a token to look up the creation time and TTL of a given | ||
| # response-wrapping token | ||
| path "sys/wrapping/lookup" { | ||
| capabilities = ["update"] | ||
| } | ||
|
|
||
| # Allow a token to unwrap a response-wrapping token. This is a convenience to | ||
| # avoid client token swapping since this is also part of the response wrapping | ||
| # policy. | ||
| path "sys/wrapping/unwrap" { | ||
| capabilities = ["update"] | ||
| } | ||
|
|
||
| # Allow general purpose tools | ||
| path "sys/tools/hash" { | ||
| capabilities = ["update"] | ||
| } | ||
| path "sys/tools/hash/*" { | ||
| capabilities = ["update"] | ||
| } | ||
|
|
||
| # Allow checking the status of a Control Group request if the user has the | ||
| # accessor | ||
| path "sys/control-group/request" { | ||
| capabilities = ["update"] | ||
| } | ||
|
|
||
| # Allow listing orgs in VaultPass | ||
| path "secret/metadata/vaultPass" { | ||
| capabilities = [ | ||
| "list", | ||
| ] | ||
| } | ||
|
|
||
| # Deny any access to vaultPass credentials by default | ||
| path "secret/data/vaultPass/*" { | ||
| capabilities = [ | ||
| "deny", | ||
| ] | ||
| } | ||
|
|
||
| # Allow admin full access to their credentials | ||
| path "secret/data/vaultPass/admin/*" { | ||
| capabilities = [ | ||
| "create", | ||
| "read", | ||
| "update", | ||
| "delete", | ||
| ] | ||
| } | ||
|
|
||
| path "secret/metadata/vaultPass/admin/" { | ||
| capabilities = [ | ||
| "list", | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| #!/bin/sh | ||
|
|
||
| # This starts the dev Vault environment using Docker / Podman | ||
| # This will enable the userpass auth module with the mitchellh user with password foo | ||
|
|
||
| GIT_ROOT=$(git rev-parse --show-toplevel) | ||
|
|
||
| docker run \ | ||
| --cap-add=IPC_LOCK \ | ||
| --env 'VAULT_DEV_ROOT_TOKEN_ID=myroot' \ | ||
| --name=dev-vault \ | ||
| --detach \ | ||
| --publish 8200:8200/tcp \ | ||
| --rm \ | ||
| vault | ||
|
|
||
| VAULT_SETUP=" | ||
| # Login to Vault | ||
| vault login myroot | ||
| # Create example secret for google.com domains | ||
| vault kv put secret/vaultPass/admin/google.com username=testUser password=unsafe | ||
| vault kv put secret/vaultPass/denied/google.com username=testUser password=unsafe | ||
| # Enable userpass auth and create example set | ||
| vault auth enable userpass | ||
| vault write \ | ||
| auth/userpass/users/mitchellh \ | ||
| password=foo \ | ||
| policies=admins | ||
| vault write /sys/policy/default policy=@/dev_default.hcl | ||
| " | ||
|
|
||
| docker cp "$GIT_ROOT/dev_default.hcl" dev-vault:/ | ||
|
|
||
| docker exec -it --env 'VAULT_ADDR=http://127.0.0.1:8200' dev-vault sh -c "$VAULT_SETUP" |