diff --git a/docs/Identity.md b/docs/Identity.md index 1b9ec69..7162470 100644 --- a/docs/Identity.md +++ b/docs/Identity.md @@ -55,14 +55,20 @@ You can also set VAULT_TOKEN with the following command: export VAULT_TOKEN=$(vault login -token-only -method=userpass username="your-username") ``` -> **Note:** The `-token-only` is an equivalent of `-field=token -no-store` options. - -You can also use the following command to set VAULT_TOKEN and TOKEN_ACCESSOR: +or a function like this: ```bash -export TOKEN_ACCESSOR=$(vault token lookup -format=json | jq -r .data.accessor) +function v_login() { + local VAULT_USERNAME=${1:-"your-username"} + vault login -format=json -method=userpass username="$VAULT_USERNAME" | + jq -r '.auth | [.client_token, .accessor] | @tsv' | read -r VAULT_TOKEN TOKEN_ACCESSOR + echo "Logged in as $VAULT_USERNAME (Token accessor: $TOKEN_ACCESSOR)" + export VAULT_TOKEN TOKEN_ACCESSOR +} ``` +> **Note:** The `-token-only` is an equivalent of `-field=token -no-store` options. + You can then use the `TOKEN_ACCESSOR` to look up token details without exposing the actual token. ```bash @@ -96,3 +102,6 @@ Read user details: ```bash vault read auth/userpass/users/username ``` + +## Entities and Groups + diff --git a/docs/README.md b/docs/README.md new file mode 100644 index 0000000..04d2616 --- /dev/null +++ b/docs/README.md @@ -0,0 +1,25 @@ +# General Vault Links and Commands + +## Useful commands + +Display the `curl` equivalent of a Vault CLI command: + +```bash +vault -output-curl-string +``` + +The following are equivalent: + +```bash +curl -s -H "X-Vault-Request: true" -H "X-Vault-Token: $VAULT_TOKEN" "https://vault.koszewscy.waw.pl/v1/auth/userpass/users?list=true" +``` + +and + +```bash +curl -s -X LIST -H "X-Vault-Request: true" -H "X-Vault-Token: $VAULT_TOKEN" https://vault.koszewscy.waw.pl/v1/auth/userpass/users +``` + +because the Vault uses non-standard HTTP method `LIST` for listing resources. + +--- \ No newline at end of file diff --git a/policies/README.md b/policies/README.md index a987cbc..8b7245d 100644 --- a/policies/README.md +++ b/policies/README.md @@ -1,5 +1,16 @@ # HashiCorp Vault Policies +## Defualt Policy + +The **default** policy is created automatically when Vault is initialized, but can be modified as needed. It provides basic access to Vault features for authenticated users. + +To restore the default policy to the newest default version, launch a development Vault server and copy the default policy from there: + +```bash +vault policy read default > default_policy.hcl +vault policy write default default_policy.hcl +``` + ## Policy Commands ```bash @@ -11,6 +22,12 @@ vault policy delete Format a policy file using `vault policy fmt `. +Display required capabilities for a given path with: + +```bash +vault -output-policy +``` + ## Auditing To enable auditing, use the following command: @@ -46,3 +63,7 @@ To disable auditing, use: ```bash vault audit disable file ``` + +## References + +- [RSoP Tool](https://github.com/threatkey-oss/hvresult) - **hvresult** computes the Resultant Set of Policy (RSoP) for Hashicorp Vault ACLs.