Gradle and Hashicorp Vault. How to extract secrets using Curl and parse Json. Simple example

By admin, written on August 8, 2016

howto

  • Join date: 11-30-99
  • Posts: 52
View Counter:
  • 0 views
Rate it
Ad
Poll
  • You parse your logs using?

    View Results

    Loading ... Loading ...
Feeds:
  • bodytext bodytext bodytext

Here is simple example of how to read values from HashiCorp Vault from Gradle.

Woks for:

✔ curl 7.35.0
✔ Gradle 1.4

✔ Linux

Should also work for:

✔ Most current Gradle and Curl versions. MacOS and Windows with some slight corrections

In short :
Vault stores your secrets under paths in key=value format. There are different ways to read those values, one of which is using “token” to access specific path. Each token allows reading from some set of paths and configuration of those permissions is also done in vault.

This How-to doesn’t concern itself with Vault mechanics, presuming you already have it running.

1

precondition

Replace with your settings, make sure following command returns your data :

curl -s -H 'X-Vault-Token: $token' -X GET $vault_url:$vault_port/v1/$secret_path

I.e. :

> curl -s -H 'X-Vault-Token: 12dsdsd-sd4-134d-se34-xsder4537g2df' -X GET https://vault-host.yourdomain.com:443/v1/enigma/path/to/secret
> {"lease_id":"","renewable":true,"lease_duration":1213445,"data":{"enigma1":"veeeery_hidden"},"warnings":null,"auth":null}

2

for impatient, aio

Copy, replace with your values, paste into Linux shell screen :

cat > build.gradle << EOF

import groovy.json.JsonSlurper

defaultTasks 'token'

task token {
    // Build Vault REST request
    def vault_url = 'https://vault-host.yourdomain.com'    
    def vault_port = 443
    def secret_path = 'enigma/path/to/secret'
    def vault_uri = vault_url+':'+vault_port+'/v1/'+secret_path

    // Given you have a token to read your path 'enigma/path/to/secret', and this token is stored locally in ~/.vault_token
    def token = new File(System.getenv()['HOME']+'/.vault_token').text


    def p = ['curl', "-H", "X-Vault-Token:"+token,"-X", "GET", vault_uri ].execute()

    // p would contain json like {"lease_id":"","renewable":true,"lease_duration":1000000,"data":{"your_key":"your_value"},"warnings":null,"auth":null}
    println "======================================"
    println "YOUR SECRET:"+new JsonSlurper().parseText(p.text).data.your_key
    println "======================================"
}

EOF

gradle

check http://YOUR_HOST:80

3

some details

3.1

Forming curl request

Vault Server provides REST API which can be accessed via Curl. You will need vault url, port, and path to the secret. On the other hand you need some access method to read, and in this case I access per Token. So, complete Curl has form like :

curl -s -H 'X-Vault-Token: $token' -X GET $vault_url:$vault_port/v1/$secret_path

This is covered by the script part // Build Vault REST request

Also, I git my token from file stored in /.vault_token but maybe you just hard-code it or take from ENV.

3.2

Executing Curl, parsing result

I then run the code using .execute(), stdout is stored in local variable.

JsonSlurper is used to extract the value.

3.3

Putting it all together

import groovy.json.JsonSlurper

defaultTasks 'token'

task token {
    // Build Vault REST request
    def vault_url = 'https://vault-host.yourdomain.com'    
    def vault_port = 443
    def secret_path = 'enigma/path/to/secret'
    def vault_uri = vault_url+':'+vault_port+'/v1/'+secret_path

    // Given you have a token to read your path 'enigma/path/to/secret', and this token is stored locally in ~/.vault_token
    def token = new File(System.getenv()['HOME']+'/.vault_token').text


    def p = ['curl', "-H", "X-Vault-Token:"+token,"-X", "GET", vault_uri ].execute()

    // p would contain json like {"lease_id":"","renewable":true,"lease_duration":1000000,"data":{"your_key":"your_value"},"warnings":null,"auth":null}
    println "======================================"
    println "YOUR SECRET:"+new JsonSlurper().parseText(p.text).data.your_key
    println "======================================"
}

3.3

Useful links

Vault REST Api : https://www.vaultproject.io/docs/http/
JsonSlurper : http://groovy-lang.org/json.html

Be Sociable, Share!
 
Does that help to solve your problem?
VN:F [1.8.5_1061]
Rating: 0 (from 0 votes)
0 votes 'YES'  0 votes 'NO'

LEARN MORE (amazon bookstore)

TAGS

SOCIAL
Be Sociable, Share!

INCOMING SEARCH TERMS


Leave a Reply