hasicorp vault roles code example

Example 1: approle hashicorp vault

#Create Approle e.g jenkins in vault with policy "jenkins-policy"
vault write auth/approle/role/jenkins token_policies="jenkins-policy"
vault write auth/approle/role/mysql token_policies="approle-policy" token_ttl=1h token_max_ttl=4h
vault write sys/auth/jenkins type=approle

#Read the same 
vault read auth/approle/role/jenkins
vault read auth/approle/role/mysql

#Generate role ID and secret ID
vault read auth/approle/role/jenkins/role-id
vault write -f auth/approle/role/jenkins/secret-id

#Check with login of role 
vault write auth/approle/login role_id="<PUT ROLE ID GENERATED FROM ABOVE COMMAND>"
secret_id="<PUT SECRET ID>"

#Secure the secret-id as its the password with response wrapping 

vault write -wrap-ttl=60s -f auth/approle/role/jenkins/secret-id

#Use secretID associated with the approle to a certain number or times after that it expires and new secret ID need to be generated

vault write auth/approle/role/jenkins token_policies="jenkins" \
        token_ttl=1h token_max_ttl=4h \
        secret_id_num_uses=10


#Reading Secrets with Approle created login token from above

VAULT_TOKEN=<TOKEN_OUTPUT_FROM_ABOVE_COMMAND> vault kv get secret/mysql/webapp

Example 2: Token capabilities in vault

#Token Capabilities check
>> vault token capabilities <TOKEN> <PATH>