This is a quick code example which uses the vault-plugin-auth-ssh setup with ssh certificates to get a token. (You'll need something like this because we can't integrate directly with vault because this needs modifications of the vault source).
Requirements:
- ssh-agent which contains your ssh certificate.
- VSSH_ROLE environment variable which contains the role you are going to use in auth/ssh/role/yourrole
- VSSH_PRINCIPAL environment variable which contains the principal that is need to authenticate against the role in VSSH_ROLE
- vssh will check every key in your ssh-agent to see if it matches a valid certificate containing this principal
- the normal vault settings like VAULT_ADDR which contains the URL to your vault server.
Then just run ./vssh and it'll output you a vault token that'll contain the policy you set on the role in auth/ssh/role/yourrole
First add your ssh CA key (see https://github.com/42wim/vault-plugin-auth-ssh#global-configuration)
$ vault write auth/ssh/config ssh_ca_public_keys=@sshca
Create a role yourrole which needs a principal ubuntu in it's certificate and gives you the apolicy on this token.
$ vault write auth/ssh/role/yourrole token_policies="apolicy" principals="ubuntu"
Now run vssh
$ VSSH_ROLE=yourrole" VSSH_PRINCIPAL="ubuntu" vssh
s.r4dGTu4tMvacKTEAXlKlRGtK