Merge pull request #7 from Qmando/fix_k8s_roles

Fix k8s roles and add aws-ec2 sts settings
danielpops · Oct 5, 2021 · c08e66b · c08e66b
2 parents 51817c9 + f5da1fc
commit c08e66b
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/vault_dump/main.py b/vault_dump/main.py
@@ -101,6 +101,16 @@ def get_auth_backends(config_root, vault_token, vault_addr):
             for ldap_entity in ["groups", "users"]:
                 get_ldap_entities(config_root, vault_token, vault_addr, ldap_entity)
 
+        if auth_details["type"] == "aws-ec2":
+            list_sts_accounts = make_request(vault_token, vault_addr, f"v1/auth/{auth_path}config/sts", "LIST")
+            if list_sts_accounts.status_code not in [403, 404]:
+                list_sts_data = list_sts_accounts.json()
+                for account_id in list_sts_data['data']['keys']:
+                    get_sts_settings = make_request(vault_token, vault_addr, f"v1/auth/{auth_path}config/sts/{account_id}")
+                    sts_file = Path(f"{config_root}/auth/{auth_path}config/sts/{account_id}.yaml")
+                    sts_file.parent.mkdir(parents=True, exist_ok=True)
+                    with sts_file.open("w+") as f:
+                        f.write(yaml.safe_dump(get_sts_settings.json()["data"]))
 
 def get_ldap_entities(config_root, vault_token, vault_addr, ldap_entity):
     list_ldap_entities_response = make_request(vault_token, vault_addr, f"v1/auth/ldap/{ldap_entity}", "LIST")
@@ -117,7 +127,8 @@ def get_ldap_entities(config_root, vault_token, vault_addr, ldap_entity):
 def get_auth_roles(config_root, vault_token, vault_addr, auth_path, auth_backend_type):
     # each auth backend may have roles defined for them
     # enumerate them all and get their configuration details
-    list_roles_response = make_request(vault_token, vault_addr, f"v1/auth/{auth_path}roles", "LIST")
+    role_or_roles = "role" if auth_backend_type in ["kubernetes"] else "roles"
+    list_roles_response = make_request(vault_token, vault_addr, f"v1/auth/{auth_path}{role_or_roles}", "LIST")
     if not list_roles_response.status_code in [403, 404]:
         for role_name in list_roles_response.json()["data"]["keys"]:
             # This is necessary because of a silly inconsistency in the vault API