VaultTools.psm1
|
function New-VaultToken { <# .SYNOPSIS Command to get a new token that represents a approle secret ID .EXAMPLE New-VaultToken -LdapCredential (Get-Credential) -Vault_Address 'https://vault' -Vault_Rolename 'some_role' #> [CmdletBinding()] Param( [Parameter(Mandatory=$true)] [System.Management.Automation.PSCredential]$LdapCredential, [Parameter(Mandatory=$true)] [ValidateScript({$_ -match '^https'})] [ValidateScript({$_ -notmatch '/$' -and $_ -notmatch '/v1$'})] [string]$Vault_Address, [Parameter(Mandatory=$true)] [string]$Vault_Rolename ) #Stop when an error comes up $ErrorActionPreference='Stop' #Addresses $VAULT_ROOT = $Vault_Address + '/v1' $VAULT_LOGIN_LDAP = $VAULT_ROOT+'/auth/ldap/login' $VAULT_LOGIN_APPROLE = $VAULT_ROOT+'/auth/approle/login' $VAULT_AUTH_APPROLE = $VAULT_ROOT+'/auth/approle/role' $VAULT_ROLEID = "$VAULT_AUTH_APPROLE/$Vault_RoleName/role-id" $VAULT_SECRETID = "$VAULT_AUTH_APPROLE/$Vault_RoleName/secret-id" #Get token equivalent of $LdapCredential $Username = $LdapCredential.GetNetworkCredential().UserName $PlainPassword = $LdapCredential.GetNetworkCredential().Password $JsonBody = @{password = $PlainPassword} | ConvertTo-Json Write-Verbose "Authenticating $Username to $Vault_Address" $UserToken = (Invoke-RestMethod -Method 'Post' -Uri "$VAULT_LOGIN_LDAP/$Username" -Body $JsonBody).auth.client_token #Get Role ID of $Vault_RoleName $RoleID = (Invoke-RestMethod -Headers @{"X-Vault-Token"="$UserToken"} -Uri $VAULT_ROLEID).data.role_id #Get Secret ID of $Vault_RoleName $SecretID = (Invoke-RestMethod -Method 'Post' -Headers @{"X-Vault-Token"="$UserToken"} -Uri $VAULT_SECRETID).data.secret_id #Send the role ID and the secret ID and receive a new token for the secret ID of $Vault_RoleName $JsonBody = @{role_id=$RoleID;secret_id=$SecretID} | ConvertTo-Json [ValidateNotNullOrEmpty()]$Output = (Invoke-RestMethod -Method 'Post' -Uri "$VAULT_LOGIN_APPROLE" -Body $JsonBody).auth.client_token #Output $Output } function Save-VaultToken { <# .SYNOPSIS Command to save a token representation of a approle secret ID to local encrypted file .DESCRIPTION This function retrieves a token representation of the secret ID for a vault rolename The function then outputs the token into an encrypted file. The file can only be opened on the computer and user account where it was created. .EXAMPLE Save-VaultToken -LdapCredential (Get-Credential) -Vault_Address 'https://vault' -Vault_Rolename 'some_role' -OutputPath 'c:\some_role_token.dat' #> [CmdletBinding()] Param( [Parameter(Mandatory=$true)] [System.Management.Automation.PSCredential]$LdapCredential, [Parameter(Mandatory=$true)] [ValidateScript({$_ -match '^https'})] [ValidateScript({$_ -notmatch '/$' -and $_ -notmatch '/v1$'})] [string]$Vault_Address, [Parameter(Mandatory=$true)] [string]$Vault_Rolename, [Parameter(Mandatory=$true)] [string]$OutputPath ) $ErrorActionPreference='Stop' $Verbose = $VerbosePreference -ne 'SilentlyContinue' #Get Token $OutputToken = New-VaultToken -LdapCredential $LdapCredential -Vault_Address $Vault_Address -Vault_Rolename $Vault_Rolename -Verbose:$Verbose #Output the token as encrypted file $SecureStringOutputToken = ConvertTo-SecureString -String $OutputToken -AsPlainText -Force [System.Management.Automation.PSCredential]::New('na',$SecureStringOutputToken) | Export-Clixml -Path $OutputPath Write-Verbose "Token saved to $OutputPath" } |