VaultTools

1.3

VaultTools.psm1

                                function Save-VaultToken {

<#

.SYNOPSIS

Command to save a token representation of a approle secret ID to local encrypted file

.DESCRIPTION

This function retrieves a token representation of the secret ID of a vault rolename

The function then outputs the token into an encrypted file.

The file can only be opened on the computer and user account where it was created.

.EXAMPLE

Save-VaultToken -LdapCredential (Get-Credential) -Vault_Address 'https://vault' -Vault_Rolename 'some_role' -OutputPath 'c:\some_role_token.dat'

#>

    [CmdletBinding()]

    Param(

        [Parameter(Mandatory=$true)]

        [System.Management.Automation.PSCredential]$LdapCredential,

        [Parameter(Mandatory=$true)]

        [ValidateScript({$_ -match '^https'})]

        [ValidateScript({$_ -notmatch '/$' -and $_ -notmatch '/v1$'})]

        [string]$Vault_Address,

        [Parameter(Mandatory=$true)]

        [string]$Vault_Rolename,

        [Parameter(Mandatory=$true)]

        [string]$OutputPath

    )

    #Stop when an error comes up

    $ErrorActionPreference='Stop'

    #Addresses

    $VAULT_ROOT          = $Vault_Address + '/v1'

    $VAULT_LOGIN_LDAP    = $VAULT_ROOT+'/auth/ldap/login'

    $VAULT_LOGIN_APPROLE = $VAULT_ROOT+'/auth/approle/login'

    $VAULT_AUTH_APPROLE  = $VAULT_ROOT+'/auth/approle/role'

    $VAULT_ROLEID        = "$VAULT_AUTH_APPROLE/$Vault_RoleName/role-id"

    $VAULT_SECRETID      = "$VAULT_AUTH_APPROLE/$Vault_RoleName/secret-id"

    #Get token equivalent of $LdapCredential

    $Username = $LdapCredential.GetNetworkCredential().UserName

    $PlainPassword = $LdapCredential.GetNetworkCredential().Password

    $JsonBody = @{password = $PlainPassword} | ConvertTo-Json

    Write-Verbose "Authenticating $Username to $Vault_Address"

    $UserToken = (Invoke-RestMethod -Method 'Post' -Uri "$VAULT_LOGIN_LDAP/$Username" -Body $JsonBody).auth.client_token

    #Get Role ID of $Vault_RoleName

    $RoleID = (Invoke-RestMethod -Headers @{"X-Vault-Token"="$UserToken"} -Uri $VAULT_ROLEID).data.role_id

    #Get Secret ID of $Vault_RoleName

    $SecretID = (Invoke-RestMethod -Method 'Post' -Headers @{"X-Vault-Token"="$UserToken"} -Uri $VAULT_SECRETID).data.secret_id

    #Send the role ID and the secret ID and receive a new token for the secret ID of $Vault_RoleName

    $JsonBody = @{role_id=$RoleID;secret_id=$SecretID} | ConvertTo-Json

    $OutputToken = (Invoke-RestMethod -Method 'Post' -Uri "$VAULT_LOGIN_APPROLE" -Body $JsonBody).auth.client_token

    #Output the token

    $SecureStringOutputToken = ConvertTo-SecureString -String $OutputToken -AsPlainText -Force

    [System.Management.Automation.PSCredential]::New('na',$SecureStringOutputToken) | Export-Clixml -Path $OutputPath

    Write-Verbose "Token saved to $OutputPath"

}