Class: Vault::Provision::Aws::SecretBackend
- Inherits:
-
Prototype
- Object
- Prototype
- Vault::Provision::Aws::SecretBackend
- Defined in:
- lib/vault/provision/aws/secret-backend.rb
Overview
AWS Secret backend, or, IAM credentials as a service www.vaultproject.io/docs/secrets/aws/index.html
Constant Summary collapse
- AWS_REGION_DEFAULT =
'us-east-1'.freeze
Instance Attribute Summary collapse
-
#access_key ⇒ Object
Returns the value of attribute access_key.
-
#region ⇒ Object
Returns the value of attribute region.
-
#secret_key ⇒ Object
Returns the value of attribute secret_key.
Instance Method Summary collapse
- #normalize_role(role_file_path) ⇒ Object
- #provision! ⇒ Object
- #provision_config_and_creds! ⇒ Object
- #provision_roles! ⇒ Object
Instance Attribute Details
#access_key ⇒ Object
Returns the value of attribute access_key.
9 10 11 |
# File 'lib/vault/provision/aws/secret-backend.rb', line 9 def access_key @access_key end |
#region ⇒ Object
Returns the value of attribute region.
9 10 11 |
# File 'lib/vault/provision/aws/secret-backend.rb', line 9 def region @region end |
#secret_key ⇒ Object
Returns the value of attribute secret_key.
9 10 11 |
# File 'lib/vault/provision/aws/secret-backend.rb', line 9 def secret_key @secret_key end |
Instance Method Details
#normalize_role(role_file_path) ⇒ Object
46 47 48 49 50 51 52 53 54 55 |
# File 'lib/vault/provision/aws/secret-backend.rb', line 46 def normalize_role role_file_path role_json = File.read(role_file_path) role = JSON.parse(role_json) if role['arn'] || role['policy'] role_json elsif role['Version'] && role['Statement'] JSON.dump(policy: role_json) end end |
#provision! ⇒ Object
11 12 13 14 |
# File 'lib/vault/provision/aws/secret-backend.rb', line 11 def provision! provision_config_and_creds! provision_roles! end |
#provision_config_and_creds! ⇒ Object
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |
# File 'lib/vault/provision/aws/secret-backend.rb', line 16 def provision_config_and_creds! return unless @aws_update_creds mounts_by_type('aws').each do |mp| mp_prefix = mp.to_s == 'aws' ? '' : "#{mp}_" @access_key = ENV["#{mp_prefix}AWS_ACCESS_KEY_ID"] @secret_key = ENV["#{mp_prefix}AWS_SECRET_ACCESS_KEY"] @region = ENV["#{mp_prefix}AWS_REGION"] || AWS_REGION_DEFAULT if @access_key.nil? || @secret_key.nil? raise NoCredsError, "set environment variables #{mp_prefix}AWS_ACCESS_KEY_ID) and #{mp_prefix}AWS_SECRET_ACCESS_KEY" end aws_config = JSON.dump(access_key: @access_key, secret_key: @secret_key, region: @region) puts " * AWS secret mount point #{mp} config (INCLUDING SECRET)" @vault.post "v1/#{mp}/config/root", aws_config lease_config = "#{@instance_dir}/#{mp}/config/lease.json" next unless FileTest.readable? lease_config validate_file! lease_config puts " * #{mp}/config/lease" @vault.post "v1/#{mp}/config/lease", File.read(lease_config) end end |
#provision_roles! ⇒ Object
57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 |
# File 'lib/vault/provision/aws/secret-backend.rb', line 57 def provision_roles! mounts_by_type('aws').each do |mp| next unless Dir.exist? "#{@instance_dir}/#{mp}" puts " * AWS secret mount point #{mp} roles" Find.find("#{@instance_dir}/#{mp}/roles").each do |rf| next unless rf.end_with? '.json' validate_file! rf role_definition = normalize_role rf next if role_definition.nil? role_path = rf.sub(%r{\A#{@instance_dir}\/}, '').sub(/.json\z/, '') puts " * #{role_path}" @vault.post "v1/#{role_path}", role_definition end end end |