#!/usr/bin/bash source ~/.bash_profile export VAULT_NS="vault" export VAULT_ADDR="vault.${VAULT_NS}.svc.cluster.local:8200" export VAULT_TOKEN=$(aws secretsmanager get-secret-value \ --secret-id VAULT_ROOT_TOKEN_${RANDOM_STRING} \ --region ${AWS_REGION} \ --query SecretString \ | xargs) export VAULT_POD=$(kubectl -n ${VAULT_NS} get pods \ --selector='app.kubernetes.io/name=vault' \ -o jsonpath='{.items[0].metadata.name}') TENANTS="tenanta tenantb" for TENANT in $TENANTS do export TENANT export APPLICATION_NS=${TENANT} export VAULT_AGENT_ROLE=${TENANT} kubectl -n ${VAULT_NS} exec -i ${VAULT_POD} -c vault \ -- env VAULT_TOKEN=$VAULT_TOKEN \ RANDOM_STRING=$RANDOM_STRING \ ACCOUNT_ID=${ACCOUNT_ID} \ AWS_REGION=${AWS_REGION} \ /bin/sh -c \ "echo \"Creating Vault Role for ${TENANT}\" echo \"=================================\" vault write aws/roles/${TENANT} \ role_arns=arn:aws:iam::${ACCOUNT_ID}:role/vault-role-${RANDOM_STRING} \ credential_type=assumed_role \ policy_document=-<