{"id":17132182,"url":"https://github.com/bitsofinfo/vault-token-issuer","last_synced_at":"2025-11-01T09:02:22.438Z","repository":{"id":48426856,"uuid":"218637587","full_name":"bitsofinfo/vault-token-issuer","owner":"bitsofinfo","description":"Simple REST API proxy and SPA for Hashicorp's Vault token auth method API(s), specifically create-orphan","archived":false,"fork":false,"pushed_at":"2021-10-25T19:46:25.000Z","size":1152,"stargazers_count":6,"open_issues_count":2,"forks_count":1,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-04-13T07:55:52.414Z","etag":null,"topics":["ci-cd","hashicorp-vault","proxy","security","token-based-authentication","vault"],"latest_commit_sha":null,"homepage":"https://bitsofinfo.wordpress.com/2019/12/02/orphan-token-hashicorp-vault/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bitsofinfo.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-10-30T22:25:26.000Z","updated_at":"2023-12-18T19:18:04.000Z","dependencies_parsed_at":"2022-08-23T23:40:44.062Z","dependency_job_id":null,"html_url":"https://github.com/bitsofinfo/vault-token-issuer","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitsofinfo%2Fvault-token-issuer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitsofinfo%2Fvault-token-issuer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitsofinfo%2Fvault-token-issuer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitsofinfo%2Fvault-token-issuer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bitsofinfo","download_url":"https://codeload.github.com/bitsofinfo/vault-token-issuer/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248681490,"owners_count":21144700,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ci-cd","hashicorp-vault","proxy","security","token-based-authentication","vault"],"created_at":"2024-10-14T19:26:18.501Z","updated_at":"2025-11-01T09:02:17.400Z","avatar_url":"https://github.com/bitsofinfo.png","language":"Go","readme":"# vault-token-issuer\n\n[![Build Status](https://travis-ci.org/bitsofinfo/vault-token-issuer.svg?branch=master)](https://travis-ci.org/bitsofinfo/vault-token-issuer)\n\n\u003cimg src=\"docs/spa.png\" align=\"right\" height=\"450\"\u003e\n\nThis project provides a simplified proxy/facade for [Vault's /auth/token/create-orphan API](https://www.vaultproject.io/api/auth/token/index.html).\n\nThis is **not** a straight layer 7 passthrough proxy, but rather this exposes a simplified API to create orphan tokens that will be created under the authority of the identity specified in an `Authentication` header who's contents can vary based on the `plugin` used when launching `vault-token-issuer`.\n\nIn addition to a simple REST API it also provides a simple SPA for creating orphan tokens implemented w/ React\n\nUse cases:\n\n* Continuous integration \u0026 delivery workflows that only need to generate use-case specific tokens \n* Limit direct/full exposure to Vault on a network\n* Provide a restricted gateway to Vault's `/auth/token/create-orphan` API\n\n## Basic example\n\n### Launch the `vault-token-issuer`\n```\nvault-token-issuer -vault-url [VAULT_URL] -vault-authenticator [PLUGIN ('ldap')]\n```\n\n### Make a POST to generate an orphan token:\n```\ncurl -X POST \\\n  https://\u003cvault-token-issuer-url\u003e/token/create-orphan \\\n  -H 'Authorization: Basic XXXXXX' \\\n  -H 'Content-Type: application/json' \\\n  -d '{\"renewable\":true, \"period\":\"5m\", \"policies\": [\"my-policy1\", \"default\"]}'\n\n{\"code\":\"ok\",\"token\":\"XXXXXXXXXX\",\"msg\":\"renewable:true period:5m policies:[my-policy1 default]\"}\n```\n\n## How it works\n\n1) Caller sends a `POST` to `/token/create-orphan` with a JSON payload to `vault-token-issuer`\n   \n2) `vault-token-issuer` relays the request's `Authorization` header to be processed by the `-vault-authenticator` configured on bootup. The `VaultAuthenticator` implementation takes the auth info and then makes a request to the Vault backend (`-vault-url`) to get back a `token` for the identity represented in the `Authorization` header.\n\n3) The `token` returned from the previous step is then used to make a second call to the Vault backend's `/auth/token/create-orphan` endpoint using the payload data specified by the caller.\n\n4) Upon success of the previous call, the generated orphan token is returned to the caller in a response JSON payload.\n\n5) By default an SPA is available at `/ui` and a self-signed TLS cert is generated. See usage for options around both of these. Note the SPA React app is statically built into the binary via [vfsgen](https://github.com/shurcooL/vfsgen)\n\n## Usage\n\n```\nUsage of ./vault-token-issuer:\n  -enable-spa\n        Serve the SPA at /ui, default enabled (default true)\n  -listen-port int\n        Optional, port to listen on, default 8443 (default 8443)\n  -tls-cert-path string\n        Optional: path to a PEM encoded TLS certificate. If omitted a self-signed cert will be auto generated\n  -tls-key-path string\n        Optional, path to a PEM encoded TLS private key. If omitted a self-signed cert will be auto generated\n  -vault-authenticator string\n        The vault authenticator plugin to use: valid options: 'ldap'\n  -vault-url string\n        Vault url where token API calls will be made. i.e. http(s)://\u003cvault\u003e[:port]\n```\n\n## Building\n\nNote also see [spa/README](spa/) to setup the SPA prior to building\n\n```\ngo generate\ngo build\n```\n\n## SPA\n\nThe included gui is implemented in React and available at `/ui` if enabled via `--enable-spa true|false`. More information in the [SPA README](spa/)\n\n## Docker\n\n```\ndocker run -p 8443:8443 bitsofinfo/vault-token-issuer:latest \\\n      vault-token-issuer \\\n      -vault-url https://\u003cyourVaultFqdn\u003e \\\n      -vault-authenticator ldap \n```","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbitsofinfo%2Fvault-token-issuer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbitsofinfo%2Fvault-token-issuer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbitsofinfo%2Fvault-token-issuer/lists"}