-
Notifications
You must be signed in to change notification settings - Fork 17
/
in
executable file
·52 lines (41 loc) · 1.47 KB
/
in
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
#!/bin/bash
set -e
exec 3>&1 # make stdout available as fd 3 for the result
exec 1>&2 # redirect all output to stderr for logging
source $(dirname $0)/common.sh
destination=$1
payload=$(mktemp $TMPDIR/vault-resource-request.XXXXXX)
cat > $payload <&0
url=$(jq -r '.source.url // "https://vault.service.consul:8200"' < $payload)
skip_verify=$(jq -r '.source.tls_skip_verify // ""' < $payload)
expose_token=$(jq -r '.source.expose_token // ""' < $payload)
paths=($(jq -r '.params.paths // [] | .[]' < $payload))
auth_method=$(jq -r '.source.auth_method // "aws_ec2"' < $payload)
# Used for AWS EC2 authentication
role=$(jq -r '.source.role // "concourse"' < $payload)
nonce=$(jq -r '.source.nonce // "vault-concourse-nonce"' < $payload)
# Used for AWS EC2 authentication
role_id=$(jq -r '.source.role_id // ""' < $payload)
secret_id=$(jq -r '.source.secret_id // ""' < $payload)
echo "INFO: Reading secrets from: ${paths[*]}"
export VAULT_ADDR=${url}
if [ ! -z "${skip_verify}" ]; then
echo "WARN: Disabling TLS verification for Vault"
export VAULT_SKIP_VERIFY=1
fi
if [ "${auth_method}" = "AppRole" ]; then
login_approle ${role_id} ${secret_id}
else
login_aws_ec2 ${role} ${nonce}
fi
for path in "${paths[@]}"; do
mkdir -p ${destination}/$(dirname ${path})
get_secret ${path} > ${destination}/${path}.json
done
if [ ! -z "${expose_token}" ]; then
cp ~/.vault-token ${destination}/token
fi
version="{\"date\": \"$(date +%s)\"}"
jq -n "{
version: ${version}
}" >&3