2015-04-07 21:20:18 +00:00
|
|
|
package command
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"strings"
|
|
|
|
|
|
|
|
"github.com/hashicorp/vault/api"
|
|
|
|
"github.com/hashicorp/vault/helper/flag-kv"
|
|
|
|
"github.com/hashicorp/vault/helper/flag-slice"
|
2016-04-01 17:16:05 +00:00
|
|
|
"github.com/hashicorp/vault/meta"
|
2015-04-07 21:20:18 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// TokenCreateCommand is a Command that mounts a new mount.
|
|
|
|
type TokenCreateCommand struct {
|
2016-04-01 17:16:05 +00:00
|
|
|
meta.Meta
|
2015-04-07 21:20:18 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (c *TokenCreateCommand) Run(args []string) int {
|
2015-06-17 23:59:50 +00:00
|
|
|
var format string
|
2016-08-13 01:01:30 +00:00
|
|
|
var id, displayName, lease, ttl, explicitMaxTTL, period, role string
|
2016-06-08 15:14:30 +00:00
|
|
|
var orphan, noDefaultPolicy, renewable bool
|
2015-04-07 21:20:18 +00:00
|
|
|
var metadata map[string]string
|
2015-04-20 01:08:08 +00:00
|
|
|
var numUses int
|
2015-04-07 21:20:18 +00:00
|
|
|
var policies []string
|
2016-04-01 17:16:05 +00:00
|
|
|
flags := c.Meta.FlagSet("mount", meta.FlagSetDefault)
|
2015-06-17 23:59:50 +00:00
|
|
|
flags.StringVar(&format, "format", "table", "")
|
2015-04-20 01:08:08 +00:00
|
|
|
flags.StringVar(&displayName, "display-name", "", "")
|
2015-08-06 16:38:26 +00:00
|
|
|
flags.StringVar(&id, "id", "", "")
|
2015-04-07 21:20:18 +00:00
|
|
|
flags.StringVar(&lease, "lease", "", "")
|
2015-10-09 23:52:13 +00:00
|
|
|
flags.StringVar(&ttl, "ttl", "", "")
|
2016-06-08 18:49:48 +00:00
|
|
|
flags.StringVar(&explicitMaxTTL, "explicit-max-ttl", "", "")
|
2016-08-13 01:01:30 +00:00
|
|
|
flags.StringVar(&period, "period", "", "")
|
2016-02-29 18:27:31 +00:00
|
|
|
flags.StringVar(&role, "role", "", "")
|
2015-04-07 21:20:18 +00:00
|
|
|
flags.BoolVar(&orphan, "orphan", false, "")
|
2016-06-08 15:14:30 +00:00
|
|
|
flags.BoolVar(&renewable, "renewable", true, "")
|
2015-11-09 22:30:50 +00:00
|
|
|
flags.BoolVar(&noDefaultPolicy, "no-default-policy", false, "")
|
2015-04-20 01:08:08 +00:00
|
|
|
flags.IntVar(&numUses, "use-limit", 0, "")
|
2015-04-07 21:20:18 +00:00
|
|
|
flags.Var((*kvFlag.Flag)(&metadata), "metadata", "")
|
|
|
|
flags.Var((*sliceflag.StringFlag)(&policies), "policy", "")
|
|
|
|
flags.Usage = func() { c.Ui.Error(c.Help()) }
|
|
|
|
if err := flags.Parse(args); err != nil {
|
|
|
|
return 1
|
|
|
|
}
|
|
|
|
|
|
|
|
args = flags.Args()
|
|
|
|
if len(args) != 0 {
|
|
|
|
flags.Usage()
|
|
|
|
c.Ui.Error(fmt.Sprintf(
|
|
|
|
"\ntoken-create expects no arguments"))
|
|
|
|
return 1
|
|
|
|
}
|
|
|
|
|
|
|
|
client, err := c.Client()
|
|
|
|
if err != nil {
|
|
|
|
c.Ui.Error(fmt.Sprintf(
|
|
|
|
"Error initializing client: %s", err))
|
|
|
|
return 2
|
|
|
|
}
|
|
|
|
|
2015-10-09 23:52:13 +00:00
|
|
|
if ttl == "" {
|
|
|
|
ttl = lease
|
|
|
|
}
|
2016-02-29 18:27:31 +00:00
|
|
|
|
|
|
|
tcr := &api.TokenCreateRequest{
|
2015-11-09 22:30:50 +00:00
|
|
|
ID: id,
|
|
|
|
Policies: policies,
|
|
|
|
Metadata: metadata,
|
|
|
|
TTL: ttl,
|
|
|
|
NoParent: orphan,
|
|
|
|
NoDefaultPolicy: noDefaultPolicy,
|
|
|
|
DisplayName: displayName,
|
|
|
|
NumUses: numUses,
|
2016-06-08 15:14:30 +00:00
|
|
|
Renewable: new(bool),
|
2016-06-08 18:49:48 +00:00
|
|
|
ExplicitMaxTTL: explicitMaxTTL,
|
2016-08-13 01:01:30 +00:00
|
|
|
Period: period,
|
2016-02-29 18:27:31 +00:00
|
|
|
}
|
2016-06-08 15:14:30 +00:00
|
|
|
*tcr.Renewable = renewable
|
2016-02-29 18:27:31 +00:00
|
|
|
|
|
|
|
var secret *api.Secret
|
|
|
|
if role != "" {
|
|
|
|
secret, err = client.Auth().Token().CreateWithRole(tcr, role)
|
|
|
|
} else {
|
|
|
|
secret, err = client.Auth().Token().Create(tcr)
|
|
|
|
}
|
2015-10-09 23:52:13 +00:00
|
|
|
|
2015-04-07 21:20:18 +00:00
|
|
|
if err != nil {
|
|
|
|
c.Ui.Error(fmt.Sprintf(
|
|
|
|
"Error creating token: %s", err))
|
|
|
|
return 2
|
|
|
|
}
|
|
|
|
|
2015-06-17 23:59:50 +00:00
|
|
|
return OutputSecret(c.Ui, format, secret)
|
2015-04-07 21:20:18 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (c *TokenCreateCommand) Synopsis() string {
|
|
|
|
return "Create a new auth token"
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *TokenCreateCommand) Help() string {
|
|
|
|
helpText := `
|
|
|
|
Usage: vault token-create [options]
|
|
|
|
|
|
|
|
Create a new auth token.
|
|
|
|
|
|
|
|
This command creates a new token that can be used for authentication.
|
|
|
|
This token will be created as a child of your token. The created token
|
|
|
|
will inherit your policies, or can be assigned a subset of your policies.
|
|
|
|
|
2015-09-12 01:08:32 +00:00
|
|
|
A lease can also be associated with the token. If a lease is not associated
|
2015-09-12 01:36:20 +00:00
|
|
|
with the token, then it cannot be renewed. If a lease is associated with
|
2015-09-12 01:08:32 +00:00
|
|
|
the token, it will expire after that amount of time unless it is renewed.
|
2015-04-07 21:20:18 +00:00
|
|
|
|
|
|
|
Metadata associated with the token (specified with "-metadata") is
|
|
|
|
written to the audit log when the token is used.
|
|
|
|
|
2016-03-01 18:02:40 +00:00
|
|
|
If a role is specified, the role may override parameters specified here.
|
|
|
|
|
2015-04-07 21:20:18 +00:00
|
|
|
General Options:
|
2016-04-01 20:50:12 +00:00
|
|
|
` + meta.GeneralOptionsUsage() + `
|
2015-04-07 21:20:18 +00:00
|
|
|
Token Options:
|
|
|
|
|
2015-08-06 16:38:26 +00:00
|
|
|
-id="7699125c-d8...." The token value that clients will use to authenticate
|
|
|
|
with vault. If not provided this defaults to a 36
|
2015-10-09 23:40:30 +00:00
|
|
|
character UUID. A root token is required to specify
|
2015-08-06 16:38:26 +00:00
|
|
|
the ID of a token.
|
|
|
|
|
2015-04-20 01:08:08 +00:00
|
|
|
-display-name="name" A display name to associate with this token. This
|
|
|
|
is a non-security sensitive value used to help
|
|
|
|
identify created secrets, i.e. prefixes.
|
|
|
|
|
2016-06-08 13:19:39 +00:00
|
|
|
-ttl="1h" Initial TTL to associate with the token; renewals can
|
|
|
|
extend this value.
|
2015-04-07 21:20:18 +00:00
|
|
|
|
2016-06-08 18:49:48 +00:00
|
|
|
-explicit-max-ttl="1h" An explicit maximum lifetime for the token. Unlike
|
|
|
|
normal token TTLs, which can be renewed up until the
|
|
|
|
maximum TTL set on the auth/token mount or the system
|
|
|
|
configuration file, this lifetime is a hard limit set
|
|
|
|
on the token itself and cannot be exceeded.
|
|
|
|
|
2016-08-13 01:01:30 +00:00
|
|
|
-period="1h" If specified, the token will be periodic; it will
|
|
|
|
have no maximum TTL (unless an "explicit-max-ttl" is
|
|
|
|
also set) but every renewal will use the given
|
|
|
|
period. Requires a root/sudo token to use.
|
|
|
|
|
2016-06-08 15:14:30 +00:00
|
|
|
-renewable=true Whether or not the token is renewable to extend its
|
|
|
|
TTL up to Vault's configured maximum TTL for tokens.
|
|
|
|
This defaults to true; set to false to disable
|
|
|
|
renewal of this token.
|
|
|
|
|
2015-04-07 21:20:18 +00:00
|
|
|
-metadata="key=value" Metadata to associate with the token. This shows
|
|
|
|
up in the audit log. This can be specified multiple
|
|
|
|
times.
|
|
|
|
|
|
|
|
-orphan If specified, the token will have no parent. Only
|
2016-08-13 01:01:30 +00:00
|
|
|
This prevents the new token from being revoked with
|
|
|
|
your token. Requires a root/sudo token to use.
|
2015-04-07 21:20:18 +00:00
|
|
|
|
2015-11-09 22:30:50 +00:00
|
|
|
-no-default-policy If specified, the token will not have the "default"
|
|
|
|
policy included in its policy set.
|
|
|
|
|
2015-04-07 21:20:18 +00:00
|
|
|
-policy="name" Policy to associate with this token. This can be
|
|
|
|
specified multiple times.
|
|
|
|
|
2015-04-20 01:08:08 +00:00
|
|
|
-use-limit=5 The number of times this token can be used until
|
|
|
|
it is automatically revoked.
|
2015-06-17 23:59:50 +00:00
|
|
|
|
|
|
|
-format=table The format for output. By default it is a whitespace-
|
2015-12-10 10:32:31 +00:00
|
|
|
delimited table. This can also be json or yaml.
|
2015-06-17 23:59:50 +00:00
|
|
|
|
2016-03-01 18:02:40 +00:00
|
|
|
-role=name If set, the token will be created against the named
|
|
|
|
role. The role may override other parameters. This
|
|
|
|
requires the client to have permissions on the
|
|
|
|
appropriate endpoint (auth/token/create/<name>).
|
2015-04-07 21:20:18 +00:00
|
|
|
`
|
|
|
|
return strings.TrimSpace(helpText)
|
|
|
|
}
|