HMAC encoding and verification POC using HashiCorp Vault
Requires a HashiCorp Valut server
An admin token and the Vault server address are needed
export ADMIN_TOKEN=<Admin Token>
export VAULT_ADDR=<Vault Server Address with port (http://127.0.0.1:8200)>curl -H "X-Vault-Token: $ADMIN_TOKEN" -X POST -d '{ "type": "aes256-gcm96" }' $VAULT_ADDR/v1/transit/keys/DOUcurl -X POST -H "X-Vault-Token: $ADMIN_TOKEN" -d '{"type":"aws"}' $VAULT_ADDR/v1/sys/auth/awsConfigure credentials, create AWS key using sample policy here
export AWS_ACCESS_KEY=<AWS key>
export AWS_SECRET_KEY=<AWS secret>
curl -X POST -H "X-Vault-Token: $ADMIN_TOKEN" -d '{"access_key":"$AWS_ACCESS_KEY", "secret_key":"$AWS_SECRET_KEY"}' $VAULT_ADDR/v1/auth/aws/config/client cat << EOF > DOU-policy.hcl
{
"policy": "# Verify Hash\npath \"transit/verify/DOU/*\"\n{\n capabilities = [\"create\", \"update\"]\n}\n\n# HMAC Hash\npath \"transit/hmac/DOU/*\"\n{\n capabilities = [\"create\", \"update\"]\n}"
}
EOF
curl -X POST -H "X-Vault-Token: $ADMIN_TOKEN" -d @DOU-policy.hcl $VAULT_ADDR/v1/sys/policy/DOU-policyAWS_ACCOUNT=<AWS account>
cat << EOF > payload.json
{
"bound_account_id":"$AWS_ACCOUNT",
"auth_type":"ec2",
"policies":"DOU-policy"
}
EOF
curl -X POST -H "X-Vault-Token: $ADMIN_TOKEN" -d @payload.json $VAULT_ADDR/v1/auth/aws/role/DOU-roleexport VAULT_ADDR=<Vault Server Address with port (http://127.0.0.1:8200)>export AWS_TOKEN=$(./get_token.sh | jq -r ".auth.client_token")./generate.sh $USER $PASSWORD $PIN./verify.sh $USER $PASSWORD $PIN./delete_token.shexport VAULT_ADDR=<Vault Server Address with port (http://127.0.0.1:8200)>export AWS_TOKEN=$(./get_token.py)./generate.py $USER $PASSWORD $PIN./verify.py $USER $PASSWORD $PIN./delete_token.py