Introduction
Working with auth methods and policies may require a higher overview about what entity is using a specific policy and when it was created. A visual inspection may not reveal global scope of uses.
Prerequisites
- Vault all versions
- JQ utility
- XARGS utility
Overview
The following script correlates the token lookup with token accessor and extracts the accessor and it's creation date. The main script snippet may be enriched with the required values of: Path, Display_name, ID, Num_uses, Orphan of the TOKEN.
# List the accessors and creation time
vault list -format json auth/token/accessors | \
jq --raw-output ".[]" | \
xargs -I{} vault token lookup -format json -accessor {} | \
jq --raw-output 'select(.data.policies[] | contains("admins")) | "Accessor=\(.data.accessor) Created_on=\(.data.creation_time|todate)"'
An example search command from the above listed accessors that's attached with a policy "admins" is:
# Enable an AUTH mount as Userpass in ROOT namespace with the default values
vault auth enable userpass
# Create a user and set a password
vault write auth/userpass/users/user1 password=securedpassvalue11 token_policies=admins
vault write auth/userpass/users/user2 password=securedpassvalue22 token_policies=admins
vault write auth/userpass/users/user3 password=securedpassvalue33 token_policies=admins
# Login using the auth method for generation of the TOKEN+ACCESSOR
(unset VAULT_TOKEN ; vault login -method=userpass username=user1 password=securedpassvalue11 |grep accessor )
(unset VAULT_TOKEN ; vault login -method=userpass username=user2 password=securedpassvalue22 |grep accessor )
(unset VAULT_TOKEN ; vault login -method=userpass username=user3 password=securedpassvalue33 |grep accessor )
vault list -format json auth/token/accessors\
| jq --raw-output ".[]" \
| xargs -I{} vault token lookup -format json -accessor {} \
| jq --raw-output 'select(.data.policies[] | contains("admins")) | "Accessor=\(.data.accessor) Created_on=\(.data.creation_time|todate)"' > admins_accessors.txt
### Alternative command for creating users
# vault auth enable userpass && \
# for i in $(seq 10) ; do
# {
# printf '\r%s %s' $(date) $i
# (vault login $VAULT_TOKEN ; vault write auth/userpass/users/user$i password=securedpassval$i$i token_policies=admins )
# (unset VAULT_TOKEN ; vault login -method=userpass username=user$i password=securedpassval$i$i |grep accessor )
# }
# done
# List the accessors and creation time
# [ $? -eq 0 ] && vault list -format json auth/token/accessors | \
# jq --raw-output ".[]" | \
# xargs -I{} vault token lookup -format json -accessor {} | \
# jq --raw-output 'select(.data.policies[] | contains("admins")) | "Accessor=\(.data.accessor) Created_on=\(.data.creation_time|todate)"' > admins_accessors.txt
The output should be similar to:
Accessor=6FFHI27e8Z2zTd9mMzE1Yd0f Created_on=2024-01-24T13:11:37Z
Accessor=vi7clQUNSerW8yiLdzk7K4xq Created_on=2024-01-24T13:11:36Z
Accessor=bTMUsOXrAyGQegjz9Fi3a72M Created_on=2024-01-24T13:11:37Z
Accessor=4h4qe6vz3izsGkVTh28bBJBl Created_on=2024-01-24T13:11:36Z
Accessor=XhFMRrH1DgQCH0wxMDXSJcEs Created_on=2024-01-24T13:11:38Z
Accessor=hJ52jEhtCbWQ5ijVFEYT9P5a Created_on=2024-01-24T13:11:34Z
Accessor=btimSJAwZziOQqtxTS70IIxr Created_on=2024-01-24T13:11:36Z
Accessor=IdNhjWQbnmpas2lclX4pnMVM Created_on=2024-01-24T13:11:35Z
Accessor=ZeEIuM2icaX2p79MEllkH2CQ Created_on=2024-01-24T13:11:35Z
Accessor=e1hww3wbuYCwWRu1lSJLPCe8 Created_on=2024-01-24T13:11:38Z
Procedures
-
Login to Vault with a token or method that's with elevated permission such as an administrator or root that's capable of performing list and lookup of other tokens.
- Identify the policy that is the focus of your analysis and research.
- Execute the script snippet and generate the list of accessors and their creation time.