VaultTools.psm1
function Save-VaultToken { <# .SYNOPSIS Command to save a token representation of a approle secret ID to local encrypted file .DESCRIPTION This function retrieves a token representation of the secret ID of a vault rolename The function then outputs the token into an encrypted file. The file can only be opened on the computer and user account where it was created. .EXAMPLE Save-VaultToken -LdapCredential (Get-Credential) -Vault_Address 'https://vault' -Vault_Rolename 'some_role' -OutputPath 'c:\some_role_token.dat' #> [CmdletBinding()] Param( [Parameter(Mandatory=$true)] [System.Management.Automation.PSCredential]$LdapCredential, [Parameter(Mandatory=$true)] [ValidateScript({$_ -match '^https'})] [ValidateScript({$_ -notmatch '/$' -and $_ -notmatch '/v1$'})] [string]$Vault_Address, [Parameter(Mandatory=$true)] [string]$Vault_Rolename, [Parameter(Mandatory=$true)] [string]$OutputPath ) #Stop when an error comes up $ErrorActionPreference='Stop' #Addresses $VAULT_ROOT = $Vault_Address + '/v1' $VAULT_LOGIN_LDAP = $VAULT_ROOT+'/auth/ldap/login' $VAULT_LOGIN_APPROLE = $VAULT_ROOT+'/auth/approle/login' $VAULT_AUTH_APPROLE = $VAULT_ROOT+'/auth/approle/role' $VAULT_ROLEID = "$VAULT_AUTH_APPROLE/$Vault_RoleName/role-id" $VAULT_SECRETID = "$VAULT_AUTH_APPROLE/$Vault_RoleName/secret-id" #Get token equivalent of $LdapCredential $Username = $LdapCredential.GetNetworkCredential().UserName $PlainPassword = $LdapCredential.GetNetworkCredential().Password $JsonBody = @{password = $PlainPassword} | ConvertTo-Json Write-Verbose "Authenticating $Username to $Vault_Address" $UserToken = (Invoke-RestMethod -Method 'Post' -Uri "$VAULT_LOGIN_LDAP/$Username" -Body $JsonBody).auth.client_token #Get Role ID of $Vault_RoleName $RoleID = (Invoke-RestMethod -Headers @{"X-Vault-Token"="$UserToken"} -Uri $VAULT_ROLEID).data.role_id #Get Secret ID of $Vault_RoleName $SecretID = (Invoke-RestMethod -Method 'Post' -Headers @{"X-Vault-Token"="$UserToken"} -Uri $VAULT_SECRETID).data.secret_id #Send the role ID and the secret ID and receive a new token for the secret ID of $Vault_RoleName $JsonBody = @{role_id=$RoleID;secret_id=$SecretID} | ConvertTo-Json $OutputToken = (Invoke-RestMethod -Method 'Post' -Uri "$VAULT_LOGIN_APPROLE" -Body $JsonBody).auth.client_token #Output the token $SecureStringOutputToken = ConvertTo-SecureString -String $OutputToken -AsPlainText -Force [System.Management.Automation.PSCredential]::New('na',$SecureStringOutputToken) | Export-Clixml -Path $OutputPath Write-Verbose "Token saved to $OutputPath" } |