我编写了一个用于更新 Hashicorp Vault 代币的脚本。但我遇到了一个问题。当脚本 Vault 自动更新令牌时,它会返回 n/a 而不是令牌值,因此我无法将其保存到任何地方,例如保存到 kubernetes 秘密。
输出如下所示:
--- -----
token n/a
token_accessor -------------
token_duration 10h
token_renewable true
token_policies ["default"]
identity_policies []
policies ["default"]
我的脚本:
import subprocess
import json
from kubernetes import client, config
def renew_vault_token(vault_pod, token_id):
try:
result = subprocess.run(
['kubectl', 'exec', '-ti', vault_pod, '-n', 'vault', '--', 'vault', 'token', 'renew', '-accessor', token_id],
capture_output=True, text=True, check=True
)
output = result.stdout
print("Vault renew output:", output) # Debugging output
token_line = next(line for line in output.splitlines() if line.startswith('token'))
new_token = token_line.split(None, 1)[1]
print(new_token)
return new_token
except subprocess.CalledProcessError as e:
print(f"Error renewing token: {e}")
return None
if __name__ == "__main__":
VAULT_POD = 'vault-0'
TOKEN_ID = '----------------'
new_token = renew_vault_token(VAULT_POD, TOKEN_ID)
感谢上面的评论。我发现,当
vault token renew
命令时,令牌值不会改变。因此令牌更新过程的脚本如下所示:
import subprocess
import json
from kubernetes import client, config
def renew_vault_token(vault_pod, token_id):
try:
result = subprocess.run(
['kubectl', 'exec', '-ti', vault_pod, '-n', 'vault', '--', 'vault', 'token', 'renew', '-accessor', token_id],
capture_output=True, text=True, check=True
)
output = result.stdout
print("Vault renew output:", output)
return output
except subprocess.CalledProcessError as e:
print(f"Error renewing token: {e}")
return None
if __name__ == "__main__":
VAULT_POD = 'vault-0'
token_ids = [
'1ndTokenID',
'2ndTokenID',
'3rdTokenID'
]
for token_id in token_ids:
new_token = renew_vault_token(VAULT_POD, TOKEN_ID)