CLI Login with OIDC
For this example we will use Bash
Config
Start by making a bash script. Feel free to name the script whatever you want. For this
demo the name will be vaultLoginOIDC.sh
At the Top of the file lets Set our Vault Varibales.
| Key | Value | Description |
|---|---|---|
| VAULT_ADDR | https://vault.localhost:8200 | Vault server address |
The vault cli uses the VAULT_ADDR to connect to the vault server.
#!/usr/bin/env bash
export VAULT_ADDR="https://vault.localhost:8200"
export VAULT_TOKEN=`vault login -method=oidc -field=token`
Login
run the script with ./vaultLoginOIDC.sh
After it runs check for your vault token
vault token lookup >/dev/null 2>&1 || { echo "ERROR -- VAULT_TOKEN is missing"; exit 1; } && echo "Vault Token is set"
In the context of shell scripting, >/dev/null and 2>&1 are used for redirecting output and error streams.
Here's what each component does:
: Redirects the standard output (stdout) of a command to a file or a file descriptor. In this case, /dev/null is a special file that discards any data written to it.
/dev/null: A special device file in Unix-like operating systems that discards all data written to it. In this case, it is used to discard the standard output.
2: Represents the file descriptor for the standard error (stderr) stream.
: Redirects the standard error (stderr) of a command.
&1: Represents file descriptor 1, which is the file descriptor for the standard output (stdout) stream.
Combining all these components together (>/dev/null 2>&1), it redirects both the standard output and standard error streams of a command to /dev/null, effectively discarding any output or error messages. This is often used when you do not need to see the output or errors of a command and want to suppress them.
So, in the context of the fixed command vault token lookup >/dev/null 2>&1, any output or error messages from the vault token lookup command will be discarded and not displayed.
Get Value Demo
We are going to use the cli to get a dummy value from our teams vault.
- Run the Login command we just made to set your
VAULT_TOKEN
It exports the Variable so all commands after it can use it.
- Set these Env Variables.
| Key | Value | Description |
|---|---|---|
| VAULT_ADDR | https://vault.localhost:8200 | Vault server address |
| SECRET_ENGINE_MOUNT | demo | Vault credential location |
| VAULT_BOT_SECRET_PATH | services/demo | Secret path |
- Make this script
getVaultVar.sh
#!/usr/bin/env bash
export VAULT_ADDR="https://vault.localhost:8200"
# Vault Credential Location to update
export SECRET_ENGINE_MOUNT="demo"
export VAULT_SECRET_PATH="services/demo"
if [[ -z "${VAULT_TOKEN}" ]]; then
echo "ERROR -- VAULT_TOKEN is missing"
fi
vault kv get -mount="${SECRET_ENGINE_MOUNT}" -field="foo" "$VAULT_SECRET_PATH"
- Run the script
./getVaultVar.sh
===== Secret Path =====
dfs/data/services/demo
======= Metadata =======
Key Value
--- -----
created_time 2023-10-10T18:53:14.814818159Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 1
=== Data ===
Key Value
--- -----
foo bar
## Save to Variable with JQ
```sh
export V_FOO=$(vault kv get -format=json -mount="${SECRET_ENGINE_MOUNT}" "$VAULT_SECRET_PATH" | jq .data.data.foo )
export V_FOO1=$(vault kv get -format=json -mount="${SECRET_ENGINE_MOUNT}" "$VAULT_SECRET_PATH" | jq .data.data.foo1 )
export V_FOO2=$(vault kv get -format=json -mount="${SECRET_ENGINE_MOUNT}" "$VAULT_SECRET_PATH" | jq .data.data.foo2 )
export V_FOO3=$(vault kv get -format=json -mount="${SECRET_ENGINE_MOUNT}" "$VAULT_SECRET_PATH" | jq .data.data.foo3 )
echo "V_FOO is $V_FOO"
echo "V_FOO1 is $V_FOO1"
echo "V_FOO2 is $V_FOO2"
echo "V_FOO3 is $V_FOO3"
V_FOO is "bar"
V_FOO1 is "bar1"
V_FOO2 is "bar2"
V_FOO3 is "bar3"