Skip to content

Bash#

Bash can be used to retrieve secrets from Vault via an API call to Vault. The most straight forward way to do this is using approle authentication.

Vault Policies#

Teams are responsible for setting up policies to give bash access to specific secrets or paths. Use the following CLI commands to setup a role to read any secrets at secret/bash/* or a variation of the terraform code examples.

Bash
vault policy write approle_bash_access_policy - <<EOF
path "secret/data/bash/*" {
  capabilities = ["create", "read", "update", "patch", "delete"]
}
EOF

Approle#

In order for bash to connect to vault, it must authenticate. To create an approle, use the following CLI command or a variation of the terraform code examples and associate the policy that you created in the last step:

Bash
vault write auth/approle/role/bash \
  token_policies="default,approle_bash_access_policy" \
  secret_id_ttl="365d"

role_id & secret_id#

Bash will use a role_id & secret_id to authenticate to vault that will need to be retrieved:

Bash
# Read role-id
vault read auth/approle/role/bash/role-id

# Create a secret-id
vault write -f auth/approle/role/bash/secret-id

Basic Vault Write Example#

Bash
#!/bin/bash

# Define Vault parameters
vault_address="https://hcp-vault-private-vault-fc507e0d.5d5b1f21.z1.hashicorp.cloud:8200"
role_id=""  # Best practice: pass via environment variable or secure input
secret_id=""  # Best practice: pass via environment variable or secure input
namespace="admin/CESI"
secret_path="secret/data/bash/test"

# Authenticate with Vault using AppRole
auth_response=$(curl -s --request POST \
  --url "$vault_address/v1/auth/approle/login" \
  --header "X-Vault-Namespace: $namespace" \
  --header "Content-Type: application/json" \
  --data "{\"role_id\": \"$role_id\", \"secret_id\": \"$secret_id\"}")

vault_token=$(echo "$auth_response" | jq -r '.auth.client_token')

# Define the data to write to the secret
secret_data='{
  "data": {
    "foo": "your_secret_value"
  }
}'

# Write the secret to Vault
write_response=$(curl -s --request POST \
  --url "$vault_address/v1/$secret_path" \
  --header "X-Vault-Token: $vault_token" \
  --header "X-Vault-Namespace: $namespace" \
  --header "Content-Type: application/json" \
  --data "$secret_data")

# Output the response
echo "$write_response" | jq

Basic Vault Read Example#

Bash
#!/bin/bash

# Define Vault parameters
vault_address="https://hcp-vault-private-vault-fc507e0d.5d5b1f21.z1.hashicorp.cloud:8200"
role_id=""  # Best practice: pass via environment variable or secure input
secret_id=""  # Best practice: pass via environment variable or secure input
namespace="admin/CESI"
secret_path="secret/data/bash/test"

# Authenticate with Vault using AppRole
auth_response=$(curl -s --request POST \
  --url "$vault_address/v1/auth/approle/login" \
  --header "X-Vault-Namespace: $namespace" \
  --header "Content-Type: application/json" \
  --data "{\"role_id\": \"$role_id\", \"secret_id\": \"$secret_id\"}")

vault_token=$(echo "$auth_response" | jq -r '.auth.client_token')

# Retrieve the secret from Vault
secret_response=$(curl -s --request GET \
  --url "$vault_address/v1/$secret_path" \
  --header "X-Vault-Token: $vault_token" \
  --header "X-Vault-Namespace: $namespace")

# Output the secret value for key 'foo'
echo "$secret_response" | jq -r '.data.data.foo'