Octopus.Script exported 2022-09-18 by harrisonmeister belongs to ‘HashiCorp Vault’ category.
This step combines two Vault operations into one:
- It retrieves (and unwraps) a Secret ID for an AppRole using a wrapped auth token from a HashiCorp Vault server.
- It logs into the HashiCorp Vault server using a supplied Role ID and the unwrapped Secret ID.
The client_token from the login response will be made available as a sensitive Output variable named AppRoleAuthToken for use in other step templates.
This step template makes use of the Rest API, so no other dependencies are needed.
Required:
- The Vault server must be unsealed.
- The full path where the AppRole auth method is mounted.
- The RoleID of the AppRole.
- The wrapped auth token used to retrieve the unwrapped Secret ID.
Optional
- The creation path of the wrapped token. If this parameter value is provided, the step template will perform a wrapping lookup to validate no malfeasance has occurred.
- A Vault namespace to use. Nested namespaces can also be supplied, e.g.
ns1/ns2. Note: This field is only supported on Vault Enterprise .
Notes:
- Tested on Vault Server
1.11.3. - Tested on both PowerShell Desktop and PowerShell Core.
- See the HashiCorp AppRole patterns documentation for further information.
Parameters
When steps based on the template are included in a project’s deployment process, the parameters below can be set.
Vault Server URL
Vault.AppRole.UnwrapSecretID.Login.VaultAddress =
The URL of the Vault instance you are connecting to. Port should be included (The default is 8200). For example:
https://myvault.local:8200/
API version
Vault.AppRole.UnwrapSecretID.Login.ApiVersion = v1
All API routes are prefixed with a version e.g. /v1/.
See the API documentation for further details.
Namespace (Optional)
Vault.AppRole.UnwrapSecretID.Login.Namespace =
The optional namespace to use. Nested namespaces can also be supplied, e.g. ns1/ns2.
Note: This field is only supported on Vault Enterprise .
App Role Path
Vault.AppRole.UnwrapSecretID.Login.AppRolePath =
The path where the approle auth method was mounted. The default path is /auth/approle. If the AppRole auth method was mounted at a different path, for example my-path, then specify /my-path instead.
Wrapped Token
Vault.AppRole.UnwrapSecretID.Login.WrappedToken =
This is the wrapped token used to retrieve the actual Secret ID from Vault.
Token Creation Path
Vault.AppRole.UnwrapSecretID.Login.WrappedTokenCreationPath =
Optional - the creation path of the wrapped token. If this parameter value is provided, the step template will perform a wrapping lookup to validate no malfeasance has occurred.
Script body
Steps based on this template will execute the following PowerShell script.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
# Variables
$VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_ADDRESS = $OctopusParameters["Vault.AppRole.UnwrapSecretID.Login.VaultAddress"]
$VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_API_VERSION = $OctopusParameters["Vault.AppRole.UnwrapSecretID.Login.ApiVersion"]
$VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_NAMESPACE = $OctopusParameters["Vault.AppRole.UnwrapSecretID.Login.Namespace"]
$VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_APPROLE_PATH = $OctopusParameters["Vault.AppRole.UnwrapSecretID.Login.AppRolePath"]
$VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_ROLEID = $OctopusParameters["Vault.AppRole.UnwrapSecretID.Login.RoleID"]
$VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_TOKEN = $OctopusParameters["Vault.AppRole.UnwrapSecretID.Login.WrappedToken"]
# Optional Variables
$VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_TOKEN_CREATION_PATH = $OctopusParameters["Vault.AppRole.UnwrapSecretID.Login.WrappedTokenCreationPath"]
# Validation
if ([string]::IsNullOrWhiteSpace($VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_ADDRESS)) {
throw "Required parameter VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_ADDRESS not specified"
}
if ([string]::IsNullOrWhiteSpace($VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_API_VERSION)) {
throw "Required parameter VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_API_VERSION not specified"
}
if ([string]::IsNullOrWhiteSpace($VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_APPROLE_PATH)) {
throw "Required parameter VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_APPROLE_PATH not specified"
}
if ([string]::IsNullOrWhiteSpace($VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_ROLEID)) {
throw "Required parameter VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_ROLEID not specified"
}
if ([string]::IsNullOrWhiteSpace($VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_TOKEN)) {
throw "Required parameter VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_TOKEN not specified"
}
# Helper functions
###############################################################################
function Get-WebRequestErrorBody {
param (
$RequestError
)
# Powershell < 6 you can read the Exception
if ($PSVersionTable.PSVersion.Major -lt 6) {
if ($RequestError.Exception.Response) {
$reader = New-Object System.IO.StreamReader($RequestError.Exception.Response.GetResponseStream())
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$rawResponse = $reader.ReadToEnd()
$response = ""
try { $response = $rawResponse | ConvertFrom-Json } catch { $response = $rawResponse }
return $response
}
}
else {
return $RequestError.ErrorDetails.Message
}
}
###############################################################################
$VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_ADDRESS = $VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_ADDRESS.TrimEnd('/')
$VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_APPROLE_PATH = $VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_APPROLE_PATH.TrimStart('/').TrimEnd('/')
# Local variables
$StepName = $OctopusParameters["Octopus.Step.Name"]
try {
Write-Verbose "X-Vault-Namespace header: $VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_NAMESPACE"
# Should we validate lookup token's creation path?
if (![string]::IsNullOrWhiteSpace($VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_TOKEN_CREATION_PATH)) {
$uri = "$VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_ADDRESS/$VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_API_VERSION/sys/wrapping/lookup"
$payload = @{
token = $VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_TOKEN
}
$Headers = @{}
if (-not [string]::IsNullOrWhiteSpace($VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_NAMESPACE)) {
$Headers.Add("X-Vault-Namespace", $VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_NAMESPACE)
}
Write-Verbose "Making Post request to $uri"
$response = Invoke-RestMethod -Uri $uri -Method Post -Body ($payload | ConvertTo-Json -Depth 10) -Headers $Headers
if ($null -ne $response) {
Write-Verbose "Validating Wrapped token creation path."
$Lookup_CreationPath = $response.data.creation_path
if ($VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_TOKEN_CREATION_PATH -ne $Lookup_CreationPath) {
throw "Supplied Wrapped token creation path failed lookup validation. Check the creation path value and retry."
}
}
else {
Write-Error "Null or Empty response returned from Vault server lookup" -Category InvalidResult
}
}
# Call to unwrap secret id from wrapped token.
$Headers = @{
"X-Vault-Token" = $VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_TOKEN
}
if (-not [string]::IsNullOrWhiteSpace($VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_NAMESPACE)) {
$Headers.Add("X-Vault-Namespace", $VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_NAMESPACE)
}
$uri = "$VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_ADDRESS/$VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_API_VERSION/sys/wrapping/unwrap"
Write-Verbose "Making Post request to $uri"
$response = Invoke-RestMethod -Uri $uri -Headers $Headers -Method Post
if ($null -ne $response) {
$payload = @{
role_id = $VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_ROLEID
secret_id = $response.data.secret_id
}
$Headers = @{}
if (-not [string]::IsNullOrWhiteSpace($VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_NAMESPACE)) {
$Headers.Add("X-Vault-Namespace", $VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_NAMESPACE)
}
$uri = "$VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_ADDRESS/$VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_API_VERSION/$([uri]::EscapeDataString($VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_APPROLE_PATH))/login"
Write-Verbose "Making Post request to $uri"
$login_response = Invoke-RestMethod -Method Post -Uri $uri -Body ($payload | ConvertTo-Json -Depth 10) -Headers $Headers
if ($null -ne $login_response) {
Set-OctopusVariable -Name "AppRoleAuthToken" -Value $login_response.auth.client_token -Sensitive
Write-Host "Created output variable: ##{Octopus.Action[$StepName].Output.AppRoleAuthToken}"
}
else {
Write-Error "Null or Empty response returned from Vault server" -Category InvalidResult
}
}
else {
throw "Null or Empty response returned from Vault server unwrap"
}
}
catch {
$ExceptionMessage = $_.Exception.Message
$ErrorBody = Get-WebRequestErrorBody -RequestError $_
$Message = "An error occurred unwrapping secretid: $ExceptionMessage"
$AdditionalDetail = ""
if (![string]::IsNullOrWhiteSpace($ErrorBody)) {
if ($null -ne $ErrorBody.errors) {
$AdditionalDetail = $ErrorBody.errors -Join ","
}
else {
$errorDetails = $null
try { $errorDetails = ConvertFrom-Json $ErrorBody } catch {}
$AdditionalDetail += if ($null -ne $errorDetails) { $errorDetails.errors -Join "," } else { $ErrorBody }
}
}
if (![string]::IsNullOrWhiteSpace($AdditionalDetail)) {
$Message += "`n`tDetail: $AdditionalDetail"
}
Write-Error $Message -Category ConnectionError
}
Provided under the Apache License version 2.0.
To use this template in Octopus Deploy, copy the JSON below and paste it into the Library → Step templates → Import dialog.
{
"Id": "aa113393-e615-40ed-9c5a-f95f471d728f",
"Name": "HashiCorp Vault - AppRole Unwrap Secret ID and Login",
"Description": "This step combines two Vault operations into one:\n1. It retrieves (and unwraps) a Secret ID for an [AppRole](https://www.vaultproject.io/docs/auth/approle) using a wrapped auth token from a HashiCorp Vault server.\n2. It logs into the HashiCorp Vault server using a supplied Role ID and the unwrapped Secret ID.\n\nThe `client_token` from the login response will be made available as a sensitive [Output variable](https://octopus.com/docs/projects/variables/output-variables#sensitive-output-variables) named `AppRoleAuthToken` for use in other step templates.\n\nThis step template makes use of the [Rest API](https://www.vaultproject.io/api-docs/auth/approle#login-with-approle), so no other dependencies are needed. \n\n---\n\n**Required:** \n- The Vault server must be [unsealed](https://www.vaultproject.io/docs/concepts/seal).\n- The full path where the AppRole auth method is mounted.\n- The [RoleID](https://www.vaultproject.io/docs/auth/approle#roleid) of the AppRole.\n- The wrapped [auth token](https://www.vaultproject.io/docs/auth/token) used to retrieve the unwrapped Secret ID. \n\n---\n\n*Optional*\n- The creation path of the wrapped token. If this parameter value is provided, the step template will perform a [wrapping lookup](https://www.vaultproject.io/api-docs/system/wrapping-lookup) to [validate no malfeasance](https://www.vaultproject.io/docs/concepts/response-wrapping#response-wrapping-token-validation) has occurred.\n- A Vault [namespace](https://www.vaultproject.io/docs/enterprise/namespaces) to use. Nested namespaces can also be supplied, e.g. `ns1/ns2`. **Note:** This field is only supported on [Vault Enterprise](https://www.hashicorp.com/products/vault) .\n\n---\n\nNotes:\n\n\n- Tested on Vault Server `1.11.3`.\n- Tested on both PowerShell Desktop and PowerShell Core.\n- See the HashiCorp [AppRole patterns documentation](https://learn.hashicorp.com/tutorials/vault/pattern-approle?in=vault/recommended-patterns#vault-returns-a-token) for further information.\n",
"Version": 5,
"ExportedAt": "2022-09-18T09:07:46.536Z",
"ActionType": "Octopus.Script",
"Author": "harrisonmeister",
"Packages": [],
"Parameters": [
{
"Id": "a0078913-4e0b-4b01-b8eb-f410138951e8",
"Name": "Vault.AppRole.UnwrapSecretID.Login.VaultAddress",
"Label": "Vault Server URL",
"HelpText": "The URL of the Vault instance you are connecting to. Port should be included (The default is `8200`). For example:\n\n\n`https://myvault.local:8200/`",
"DefaultValue": "",
"DisplaySettings": {
"Octopus.ControlType": "SingleLineText"
}
},
{
"Id": "6b441222-26f8-4e68-bb96-fdabd0ebcc59",
"Name": "Vault.AppRole.UnwrapSecretID.Login.ApiVersion",
"Label": "API version",
"HelpText": "All API routes are prefixed with a version e.g. `/v1/`.\n\nSee the [API documentation](https://www.vaultproject.io/api-docs) for further details.",
"DefaultValue": "v1",
"DisplaySettings": {
"Octopus.ControlType": "Select",
"Octopus.SelectOptions": "v1|v1"
}
},
{
"Id": "f973d44c-4840-4559-9331-6b2d91c130f3",
"Name": "Vault.AppRole.UnwrapSecretID.Login.Namespace",
"Label": "Namespace (Optional)",
"HelpText": "The _optional_ [namespace](https://www.vaultproject.io/docs/enterprise/namespaces) to use. Nested namespaces can also be supplied, e.g. `ns1/ns2`.\n\n**Note:** This field is only supported on [Vault Enterprise](https://www.hashicorp.com/products/vault) .",
"DefaultValue": "",
"DisplaySettings": {
"Octopus.ControlType": "SingleLineText"
}
},
{
"Id": "6fd4b775-5b97-43c7-bc53-5dc3e2353287",
"Name": "Vault.AppRole.UnwrapSecretID.Login.AppRolePath",
"Label": "App Role Path",
"HelpText": "The path where the approle auth method was mounted. The default path is `/auth/approle`. If the AppRole auth method was mounted at a different path, for example `my-path`, then specify `/my-path` instead.",
"DefaultValue": "",
"DisplaySettings": {
"Octopus.ControlType": "SingleLineText"
}
},
{
"Id": "a8c0824c-3e1a-4014-8060-96a703d52365",
"Name": "Vault.AppRole.UnwrapSecretID.Login.RoleID",
"Label": "Role ID",
"HelpText": "The [RoleID](https://www.vaultproject.io/docs/auth/approle#roleid) of the AppRole.",
"DefaultValue": "",
"DisplaySettings": {
"Octopus.ControlType": "Sensitive"
}
},
{
"Id": "8ba05c24-215f-4ca0-9edc-bca38c43d7b5",
"Name": "Vault.AppRole.UnwrapSecretID.Login.WrappedToken",
"Label": "Wrapped Token",
"HelpText": "This is the wrapped token used to retrieve the actual Secret ID from Vault.",
"DefaultValue": "",
"DisplaySettings": {
"Octopus.ControlType": "Sensitive"
}
},
{
"Id": "3d94ac28-e7b6-4da2-8ff4-af506d5ded95",
"Name": "Vault.AppRole.UnwrapSecretID.Login.WrappedTokenCreationPath",
"Label": "Token Creation Path",
"HelpText": "*Optional* - the creation path of the wrapped token. If this parameter value is provided, the step template will perform a [wrapping lookup](https://www.vaultproject.io/api-docs/system/wrapping-lookup) to [validate no malfeasance](https://www.vaultproject.io/docs/concepts/response-wrapping#response-wrapping-token-validation) has occurred.",
"DefaultValue": "",
"DisplaySettings": {
"Octopus.ControlType": "SingleLineText"
}
}
],
"Properties": {
"Octopus.Action.Script.ScriptSource": "Inline",
"Octopus.Action.Script.Syntax": "PowerShell",
"Octopus.Action.Script.ScriptBody": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\n\n# Variables\n$VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_ADDRESS = $OctopusParameters[\"Vault.AppRole.UnwrapSecretID.Login.VaultAddress\"]\n$VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_API_VERSION = $OctopusParameters[\"Vault.AppRole.UnwrapSecretID.Login.ApiVersion\"]\n$VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_NAMESPACE = $OctopusParameters[\"Vault.AppRole.UnwrapSecretID.Login.Namespace\"]\n$VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_APPROLE_PATH = $OctopusParameters[\"Vault.AppRole.UnwrapSecretID.Login.AppRolePath\"]\n$VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_ROLEID = $OctopusParameters[\"Vault.AppRole.UnwrapSecretID.Login.RoleID\"]\n$VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_TOKEN = $OctopusParameters[\"Vault.AppRole.UnwrapSecretID.Login.WrappedToken\"]\n\n# Optional Variables\n$VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_TOKEN_CREATION_PATH = $OctopusParameters[\"Vault.AppRole.UnwrapSecretID.Login.WrappedTokenCreationPath\"]\n\n# Validation\nif ([string]::IsNullOrWhiteSpace($VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_ADDRESS)) {\n throw \"Required parameter VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_ADDRESS not specified\"\n}\nif ([string]::IsNullOrWhiteSpace($VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_API_VERSION)) {\n throw \"Required parameter VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_API_VERSION not specified\"\n}\nif ([string]::IsNullOrWhiteSpace($VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_APPROLE_PATH)) {\n throw \"Required parameter VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_APPROLE_PATH not specified\"\n}\nif ([string]::IsNullOrWhiteSpace($VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_ROLEID)) {\n throw \"Required parameter VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_ROLEID not specified\"\n}\nif ([string]::IsNullOrWhiteSpace($VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_TOKEN)) {\n throw \"Required parameter VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_TOKEN not specified\"\n}\n\n# Helper functions\n###############################################################################\nfunction Get-WebRequestErrorBody {\n param (\n $RequestError\n )\n\n # Powershell < 6 you can read the Exception\n if ($PSVersionTable.PSVersion.Major -lt 6) {\n if ($RequestError.Exception.Response) {\n $reader = New-Object System.IO.StreamReader($RequestError.Exception.Response.GetResponseStream())\n $reader.BaseStream.Position = 0\n $reader.DiscardBufferedData()\n $rawResponse = $reader.ReadToEnd()\n $response = \"\"\n try { $response = $rawResponse | ConvertFrom-Json } catch { $response = $rawResponse }\n return $response\n }\n }\n else {\n return $RequestError.ErrorDetails.Message\n }\n}\n###############################################################################\n\n$VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_ADDRESS = $VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_ADDRESS.TrimEnd('/')\n$VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_APPROLE_PATH = $VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_APPROLE_PATH.TrimStart('/').TrimEnd('/')\n\n# Local variables\n$StepName = $OctopusParameters[\"Octopus.Step.Name\"]\n\ntry {\n \n Write-Verbose \"X-Vault-Namespace header: $VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_NAMESPACE\"\n \n # Should we validate lookup token's creation path?\n if (![string]::IsNullOrWhiteSpace($VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_TOKEN_CREATION_PATH)) {\n $uri = \"$VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_ADDRESS/$VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_API_VERSION/sys/wrapping/lookup\" \n $payload = @{\n token = $VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_TOKEN\n }\n\n $Headers = @{}\n if (-not [string]::IsNullOrWhiteSpace($VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_NAMESPACE)) {\n $Headers.Add(\"X-Vault-Namespace\", $VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_NAMESPACE)\n }\n\n Write-Verbose \"Making Post request to $uri\"\n $response = Invoke-RestMethod -Uri $uri -Method Post -Body ($payload | ConvertTo-Json -Depth 10) -Headers $Headers\n\n if ($null -ne $response) {\n Write-Verbose \"Validating Wrapped token creation path.\"\n $Lookup_CreationPath = $response.data.creation_path\n if ($VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_TOKEN_CREATION_PATH -ne $Lookup_CreationPath) {\n throw \"Supplied Wrapped token creation path failed lookup validation. Check the creation path value and retry.\"\n }\n }\n else {\n Write-Error \"Null or Empty response returned from Vault server lookup\" -Category InvalidResult\n }\n }\n\n # Call to unwrap secret id from wrapped token.\n $Headers = @{\n \"X-Vault-Token\" = $VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_TOKEN\n }\n \n if (-not [string]::IsNullOrWhiteSpace($VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_NAMESPACE)) {\n $Headers.Add(\"X-Vault-Namespace\", $VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_NAMESPACE)\n }\n \n $uri = \"$VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_ADDRESS/$VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_API_VERSION/sys/wrapping/unwrap\"\n Write-Verbose \"Making Post request to $uri\"\n $response = Invoke-RestMethod -Uri $uri -Headers $Headers -Method Post\n \n if ($null -ne $response) {\n\n $payload = @{\n role_id = $VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_ROLEID\n secret_id = $response.data.secret_id\n }\n\n $Headers = @{}\n if (-not [string]::IsNullOrWhiteSpace($VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_NAMESPACE)) {\n $Headers.Add(\"X-Vault-Namespace\", $VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_NAMESPACE)\n }\n\n $uri = \"$VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_ADDRESS/$VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_API_VERSION/$([uri]::EscapeDataString($VAULT_APPROLE_UNWRAP_SECRETID_LOGIN_APPROLE_PATH))/login\"\n Write-Verbose \"Making Post request to $uri\"\n $login_response = Invoke-RestMethod -Method Post -Uri $uri -Body ($payload | ConvertTo-Json -Depth 10) -Headers $Headers\n \n if ($null -ne $login_response) {\n Set-OctopusVariable -Name \"AppRoleAuthToken\" -Value $login_response.auth.client_token -Sensitive\n Write-Host \"Created output variable: ##{Octopus.Action[$StepName].Output.AppRoleAuthToken}\"\n }\n else {\n Write-Error \"Null or Empty response returned from Vault server\" -Category InvalidResult\n }\n }\n else {\n throw \"Null or Empty response returned from Vault server unwrap\"\n }\n}\ncatch {\n $ExceptionMessage = $_.Exception.Message\n $ErrorBody = Get-WebRequestErrorBody -RequestError $_\n $Message = \"An error occurred unwrapping secretid: $ExceptionMessage\"\n $AdditionalDetail = \"\"\n if (![string]::IsNullOrWhiteSpace($ErrorBody)) {\n if ($null -ne $ErrorBody.errors) {\n $AdditionalDetail = $ErrorBody.errors -Join \",\" \n }\n else {\n $errorDetails = $null\n try { $errorDetails = ConvertFrom-Json $ErrorBody } catch {}\n $AdditionalDetail += if ($null -ne $errorDetails) { $errorDetails.errors -Join \",\" } else { $ErrorBody } \n }\n }\n \n if (![string]::IsNullOrWhiteSpace($AdditionalDetail)) {\n $Message += \"`n`tDetail: $AdditionalDetail\"\n }\n\n Write-Error $Message -Category ConnectionError\n}"
},
"Category": "HashiCorp Vault",
"HistoryUrl": "https://github.com/OctopusDeploy/Library/commits/master/step-templates//opt/buildagent/work/75443764cd38076d/step-templates/hashicorp-vault-approle-unwrap-secretid-login.json",
"Website": "/step-templates/aa113393-e615-40ed-9c5a-f95f471d728f",
"Logo": "iVBORw0KGgoAAAANSUhEUgAAAMoAAADKCAIAAABrB0j/AAABg2lDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw0AcxV/TakUqHewg4pChOlkQFXHUKhShQqgVWnUwufQLmhiSFBdHwbXg4Mdi1cHFWVcHV0EQ/ABxc3NSdJES/5cUWsR4cNyPd/ced+8AoVFlmhUaAzTdNjOppJjLr4jhV4TQjQiiEGVmGbOSlIbv+LpHgK93CZ7lf+7P0acWLAYEROIZZpg28Trx1KZtcN4njrGyrBKfE4+adEHiR64rHr9xLrks8MyYmc3MEceIxVIHKx3MyqZGPEkcVzWd8oWcxyrnLc5atcZa9+QvjBT05SWu0xxCCgtYhAQRCmqooAobCVp1UixkaD/p4x90/RK5FHJVwMgxjw1okF0/+B/87tYqTox7SZEk0PXiOB/DQHgXaNYd5/vYcZonQPAZuNLb/o0GMP1Jer2txY+A6DZwcd3WlD3gcgcYeDJkU3alIE2hWATez+ib8kD/LdC76vXW2sfpA5ClrtI3wMEhMFKi7DWfd/d09vbvmVZ/PxjpcoO2DG3OAAAACXBIWXMAAC4jAAAuIwF4pT92AAAAB3RJTUUH5QQGDBAAGW4yuAAAABl0RVh0Q29tbWVudABDcmVhdGVkIHdpdGggR0lNUFeBDhcAAAlJSURBVHja7Z3RWerMGkbDef57YgVkV0A6SKxAOiBWsGMFxAq0A7ECoYIMFRgqIFZgqCD/xZxnTs5AEJUBZma9F/shiGwIizVfvpnEQdu2ASFm8h92AQEvAl6EgBcBLwJehIAXAS8CXoSAFwEvAl6EgBcBLwJehIAXAS8CXoSAFwEvQsCLgBcBL0LAi4AXAS9CwIuAFwEvQn6ef6789S0Wi6qq+Jz2Jo7jyWQCXj9PGIaPj4+QtDdlWV77S2yvPkmSQNJukiS5/s/OArws+I5eSF3ghcD8VZc1eCEwG9VlDV4IzEZ12YQXArNOXTbhhcCsU5dleCEwu9RlGV4IzC512YeX5wKzS1324eWzwKxTl5V4eSsw69RlJV5+CsxGddmKl4cCs1FdtuLlm8AsVZfFeHklMEvVZTFe/gjMXnW1bTtorf1zoUKI29vbk3+W3c2qqrbbbRAE4/E4DEN1f9M06/U6CILRaBRF0e79p1VXmqa2fjlam3NygfU9vzY8qaF5NpsZHbKtVlfbtnafKVQUhdsjo+1v0G680jR1uAJLksTiYdEBvNwWmANvzXq8XBWYA+qyvrSXeXl5oddFY8Jgoij6+PhwSV1CCAfeiCPXmHCsAnPn7bSuZDQaudH3sr3X5U7fy8lvvEsmdgevLMtOIjAOGMHL2e+9Y0WkU3jZLjDH1BUEgSONCZX5fH5/f/+bD7i7eeYVE3YvjvABr8DaHpgzvS5nB0eryxcnJ08dtNdvBKY1rvI8l4Pd09NTHMfdQfPh4UEOms/Pz91f+dkKRyfVFQQOtVVPMgv53bbqbgv0x1WXkx+Emxcet+sQ0r0DRpdrL+tKGYeXrDmLly0Cc1hdwfVf1/6XVvhuD0yrr5umUbV893612TTNL0tyt08XcPPI8feHkGdTl5sHjM4Pjla4wfkznRy316kE1jcphLq+SOt6TrISv6/v9Zu8v787v/Pd/4N713kIOZ1Ou9MA1F5UYFRd4GWDwKbTaXcZD3ghMNTFkaP5Q8iTqGs+n3uyzz36W9pX4gx/1OUXXtdQgflTdXmH1zWYwyt1eYfXZQXmm7q8w+uy/vBNXT7idSmBeaguH/G6lEU8VJeneJ1fYH6qy1O8zu8SP9XlL17nFJi36vIXr3MaxVt1eY3XeQTms7q8xus8XvFZXb7jZVpgnqvLd7xM28VzdYGXQYGhLvAy6BjUBV6mBIa6wMugaVAXeJkSGOoCL4O+QV3gZUpgqAu8DFoHdYGXKYGhLvAy6B7UBV6mBIa6wMuggVAXeJkSGOoCL4MeQl3gZUpgqAu8DNoIdYGXKYGhLvAyKDDUBV6mBIa6wMugwFAXeJkSGOoCL4MCQ13gZUpgqAu8DAoMdYGXKYGhLvAyKDDUBV6mBIa6wMugwFAXeJ0+k8lkOByirm/lH3bBkQnDsCiKyWTCrjg+Hv1FNMLgSMCLEPAi4EXAixDwIuB1stR1LYSQt4UQdV33PbJpmqqquptCiKZp5JN0f0ROnNbazGYz9fqDIJjNZn2PLMsyCIKyLLXNu7s7tR82m01LTh2nuvZVVS0WiyAIJpNJHMfz+byu6zAM4ziWP62qKsuyMAyTJAnDcLlcjkaj5+fnMAyjKFKPz7KsqiqpwyiK5J3yd5kR8stes9mseyNJkiAIhsOhVNR4PE6SRN6WUZua0l5eXuQvBkEwnU7lc8qnDYJALpe4u7tDSN+K9aW9EEJVYEVR5Hk+Ho+32616QJZl8sbb29tsNlutVn2VnPx3PB7L26PRaLPZqJ8mSSLLNeLRkWMXrzzPsyyTEKRpKoV0f38vi/cwDHd/fT6f90ETRVF3KIQtGhP/40AIURSF9NBesKSfXl9fb25uBoOBfMzNzc16vd4tsKIoWq/Xfc9D+mJxaZ9lWZqm8nZZllI2cRxLOGSpLoRI01TeKf+Vm2VZxnEsDwXqupZ3xnEshIiiKMuyuq67a2+KomiaRo2z5MiwIOeLFEXx+PjIXgIvU81bqTd2BXhZw2scxz5Ucsw5nil5nsdxPBgM/vz5c3t768lMlMV4PT8/Dzo5RgZN0wz+P6qpYTpVVa3XaxoT1kQ7q2K73X7Jipwy6ubaiiohhEtisxivKIrG4/FhenY/vO5md0r7gqmqKk3TMAwHg8Ht7W2e5+B1FdHc8117XclZZU3TrFar7kQWeF1FtD7ner0+sOpLCKF9hLQbwOtQ4jiWaxyOEZimrvF4zOoa07F+vddkMnl9fe0y1Dd1o5GnjYxVVWmT1mqhGPl5bF9R9Pb2dsw7UktrVN7f39u2nU6n2vFBN/KiEp+fn9rCV5UkSXb/r72vRy5EUynLUnuqvhxYhct6r3NX933Hj5q6hsOhWsJ6oB213W5fX1/lgtULFgDUXhdLGIZaf2Fv+dV3zHhM+bXdbi/YLLB67siFSSFNYMfYS+HVdYNcOZ0kiXa4EATBcrlkOaGPtdfeuko77We3PlPl1GazKcuyW12pGkuDTK7KP2Ht9a16jtrrYomiSLu0riaw3Wa9GnHkAsPdAShNU+3Q8oLlF4Pj5dsTB3jSaDuym6qVZeAFXntKpbquPz4+DjyYmIsjp9GmaTocDrtzPkIIidGXzfqmaRaLhTzJFl2BV6/AtPa9xEsbKLWRUa5WcHI6mcHRYHtCUbVcLrv3d6eMmqaBLfD6Sfn18fGhLjmhopr1CkHYAq+jIi9Mogns8AIvrdiaTqe717Ag4LWfnsVicXiVhJYfnCWrtfKFEJxq62ZpL+l5eHhQm7tXKznc8eoeKmpXnFPRjjrX63VRFPL07sVioXVAfhaXZp+cwku27/s+426zXo2n3c08z6uqCsNQCNF3IZ3dKfDHx8fTvgt5kYsoilarVZIkZzuXyUgcu6DU379/+97p09PTl5OVB6LWXR1YH3ZgDx+Yc/z8/HT1A3LtNNoD1dXuj6Io+sHJQl82/b/LXxiGB74Vdo+V7l0Rb3c5jfzI9z748/NT84oaScuy7M6Ud1eNTqfTvf/F09PTZrPRbPSlveTL6ANdrqq1NFxj4r8dCnWtaHkxpi8X8ammmlySf5JrRshrXatrusrVHFbvWPAi9L0IeBECXgS8CHgRAl4EvAh4EQJeBLwIeBECXgS8CHgRAl4EvAh4sQsIeBHwIgS8CHgR8CIEvAh4EfAiBLwIeBHwIgS8yHXmXx0374OBQOzlAAAAAElFTkSuQmCC",
"$Meta": {
"Type": "ActionTemplate"
}
}
Page updated on Sunday, September 18, 2022