forked from hashicorp/vault
-
Notifications
You must be signed in to change notification settings - Fork 0
/
token_create.go
141 lines (112 loc) · 4.33 KB
/
token_create.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
package command
import (
"fmt"
"strings"
"github.com/hashicorp/vault/api"
"github.com/hashicorp/vault/helper/flag-kv"
"github.com/hashicorp/vault/helper/flag-slice"
)
// TokenCreateCommand is a Command that mounts a new mount.
type TokenCreateCommand struct {
Meta
}
func (c *TokenCreateCommand) Run(args []string) int {
var format string
var id, displayName, lease, ttl string
var orphan, noDefaultPolicy bool
var metadata map[string]string
var numUses int
var policies []string
flags := c.Meta.FlagSet("mount", FlagSetDefault)
flags.StringVar(&format, "format", "table", "")
flags.StringVar(&displayName, "display-name", "", "")
flags.StringVar(&id, "id", "", "")
flags.StringVar(&lease, "lease", "", "")
flags.StringVar(&ttl, "ttl", "", "")
flags.BoolVar(&orphan, "orphan", false, "")
flags.BoolVar(&noDefaultPolicy, "no-default-policy", false, "")
flags.IntVar(&numUses, "use-limit", 0, "")
flags.Var((*kvFlag.Flag)(&metadata), "metadata", "")
flags.Var((*sliceflag.StringFlag)(&policies), "policy", "")
flags.Usage = func() { c.Ui.Error(c.Help()) }
if err := flags.Parse(args); err != nil {
return 1
}
args = flags.Args()
if len(args) != 0 {
flags.Usage()
c.Ui.Error(fmt.Sprintf(
"\ntoken-create expects no arguments"))
return 1
}
client, err := c.Client()
if err != nil {
c.Ui.Error(fmt.Sprintf(
"Error initializing client: %s", err))
return 2
}
if ttl == "" {
ttl = lease
}
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
ID: id,
Policies: policies,
Metadata: metadata,
TTL: ttl,
NoParent: orphan,
NoDefaultPolicy: noDefaultPolicy,
DisplayName: displayName,
NumUses: numUses,
})
if err != nil {
c.Ui.Error(fmt.Sprintf(
"Error creating token: %s", err))
return 2
}
return OutputSecret(c.Ui, format, secret)
}
func (c *TokenCreateCommand) Synopsis() string {
return "Create a new auth token"
}
func (c *TokenCreateCommand) Help() string {
helpText := `
Usage: vault token-create [options]
Create a new auth token.
This command creates a new token that can be used for authentication.
This token will be created as a child of your token. The created token
will inherit your policies, or can be assigned a subset of your policies.
A lease can also be associated with the token. If a lease is not associated
with the token, then it cannot be renewed. If a lease is associated with
the token, it will expire after that amount of time unless it is renewed.
Metadata associated with the token (specified with "-metadata") is
written to the audit log when the token is used.
General Options:
` + generalOptionsUsage() + `
Token Options:
-id="7699125c-d8...." The token value that clients will use to authenticate
with vault. If not provided this defaults to a 36
character UUID. A root token is required to specify
the ID of a token.
-display-name="name" A display name to associate with this token. This
is a non-security sensitive value used to help
identify created secrets, i.e. prefixes.
-lease="1h" Deprecated; use "-ttl" instead.
-ttl="1h" TTL to associate with the token. This option enables
the tokens to be renewable.
-metadata="key=value" Metadata to associate with the token. This shows
up in the audit log. This can be specified multiple
times.
-orphan If specified, the token will have no parent. Only
root tokens can create orphan tokens. This prevents
the new token from being revoked with your token.
-no-default-policy If specified, the token will not have the "default"
policy included in its policy set.
-policy="name" Policy to associate with this token. This can be
specified multiple times.
-use-limit=5 The number of times this token can be used until
it is automatically revoked.
-format=table The format for output. By default it is a whitespace-
delimited table. This can also be json.
`
return strings.TrimSpace(helpText)
}