Merge key/value pairs in vault secret
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
@@ -7,27 +7,77 @@ Param(
|
||||
[Parameter()]
|
||||
[string]$VaultPwPolicy,
|
||||
[Parameter(Mandatory)]
|
||||
[string]$Container,
|
||||
[string]$VaulSecret,
|
||||
[Parameter(Mandatory)]
|
||||
[string]$Username
|
||||
)
|
||||
|
||||
# Generate new password
|
||||
$InvokeWebRequestSplat = @{
|
||||
Uri = "$($VaultAPIAddress)/sys/policies/password/$($VaultPasswordPolicy)/generate"
|
||||
Headers = @{'X-Vault-Token'="$VaultToken"}
|
||||
}
|
||||
$NewPassword = (Invoke-WebRequest @InvokeWebRequestSplat | ConvertFrom-Json).data.password
|
||||
|
||||
$InvokeWebRequestSplat = @{
|
||||
Uri = "$($VaultAPIAddress)/secret/data/$($Container)"
|
||||
Method = 'POST'
|
||||
Headers = @{'X-Vault-Token'="$VaultToken"}
|
||||
Body = @{
|
||||
data = @{
|
||||
"password.$($Username)" = $NewPassword
|
||||
}
|
||||
} | ConvertTo-Json
|
||||
# Check for existense of secret
|
||||
$Response, $ErrResponse = $Null, $Null
|
||||
Try {
|
||||
$InvokeWebRequestSplat = @{
|
||||
Uri = "$(VaultAPIAddress)/secret/metadata/$($VaultSecret)"
|
||||
Headers = @{'X-Vault-Token' = "$VaultToken"}
|
||||
UseBasicParsing = $True
|
||||
}
|
||||
$Response = Invoke-WebRequest @InvokeWebRequestSplat
|
||||
}
|
||||
Catch {
|
||||
$StreamReader = [System.IO.StreamReader]::new($_.Exception.Response.GetResponseStream())
|
||||
$StreamReader.BaseStream.Position = 0
|
||||
$ErrResponse = $StreamReader.ReadToEnd()
|
||||
$StreamReader.Close()
|
||||
}
|
||||
|
||||
If ([boolean]$Response) {
|
||||
# Secret already exists; retrieve existing key/value pairs
|
||||
$InvokeWebRequestSplat = @{
|
||||
Uri = "$(VaultAPIAddress)/secret/data/$($VaultSecret)"
|
||||
Headers = @{'X-Vault-Token' = "$VaultToken"}
|
||||
UseBasicParsing = $True
|
||||
}
|
||||
$Secret = (Invoke-WebRequest @InvokeWebRequestSplat | ConvertFrom-Json).data
|
||||
|
||||
# Merge new password into dictionary
|
||||
$AddMemberSplat = @{
|
||||
MemberType = 'NoteProperty'
|
||||
Name = "password.$($Username)"
|
||||
Value = $NewPassword
|
||||
Force = $True
|
||||
}
|
||||
$Secret.data | Add-Member @AddMemberSplat
|
||||
|
||||
# Store as new version
|
||||
$InvokeWebRequestSplat = @{
|
||||
Uri = "$($VaultAPIAddress)/secret/data/$($VaulSecret)"
|
||||
Method = 'POST'
|
||||
Headers = @{'X-Vault-Token'="$VaultToken"}
|
||||
Body = @{
|
||||
data = $Secret.data
|
||||
} | ConvertTo-Json
|
||||
}
|
||||
Invoke-WebRequest @InvokeWebRequestSplat
|
||||
}
|
||||
ElseIf ([boolean]$ErrResponse) {
|
||||
# Secret did not exist yet, store as new secret
|
||||
$InvokeWebRequestSplat = @{
|
||||
Uri = "$($VaultAPIAddress)/secret/data/$($VaulSecret)"
|
||||
Method = 'POST'
|
||||
Headers = @{'X-Vault-Token'="$VaultToken"}
|
||||
Body = @{
|
||||
data = @{
|
||||
"password.$($Username)" = $NewPassword
|
||||
}
|
||||
} | ConvertTo-Json
|
||||
}
|
||||
Invoke-WebRequest @InvokeWebRequestSplat
|
||||
}
|
||||
Invoke-WebRequest @InvokeWebRequestSplat
|
||||
|
||||
Return $NewPassword
|
||||
@@ -17,4 +17,4 @@ Users:
|
||||
Variables:
|
||||
- Name: password.janedoe
|
||||
Expression: |
|
||||
& "$($PSScriptRoot)\..\Provision-VaultPassword.ps1" -Container $Parameter['vault.secret'] -Username 'janedoe' -VaultAPIAddress $Parameter['vault.api'] -VaultToken $Parameter['vault.token'] -VaultPwPolicy $Parameter['vault.pwpolicy']
|
||||
& "$($PSScriptRoot)\..\Provision-VaultPassword.ps1" -VaulSecret $Parameter['vault.secret'] -Username 'janedoe' -VaultAPIAddress $Parameter['vault.api'] -VaultToken $Parameter['vault.token'] -VaultPwPolicy $Parameter['vault.pwpolicy']
|
||||
|
||||
Reference in New Issue
Block a user