To complete this example you need to have a Vault instance available and unsealed. You will also need the following environment variables set.
export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_TOKEN=x.abcdefghijk1234567
-
Enable transit engine
vault secrets enable transit
-
Create our signing key
vault write -f transit/keys/jwt type=rsa-4096 exportable=true
This python example uses the HVAC client for Vault and the JWCrypto libraries for generating a JWT.
-
Install python dependancies
pip install jwcrypto hvac
-
Generate token with
gen-jwt.py
./gen-jwt.py
This will output the JWT and write it to the file
token.jwt
-
Verify token with
check-jwt.py
./check-jwt.py
This reads the token from the file (
token.jwt
) from the previous step and outputs theinfo
claim.# Example $ ./check-jwt.py {"info":"Token signed at: 18/05/2021 15:36:22"}
-
Create a
priv.pem
file with your private key in PEM format. -
Generate token with
gen-jwt.py
./gen-jwt.py
This will output the JWT and write it to the file
token.jwt
-
Verify token with
check-jwt.py
./check-jwt.py
Since the provided private key doesn't come from Vault, the JWT verification will fail.
# Example $ ./check-jwt.py Not signed by key version: 1 Not signed by key version: 2 Not signed by key version: 3 Not signed by key version: 4 Not signed by key version: 5 Token not signed by any key
The private key for signing can be rotated with the rotate-key.py
script.
$ ./rotate-key.py
By default the script uses the latest version of the signing key. This can be
adjusted by setting the KEY_VER
environment variable.
export KEY_VER=5