vault/enos/modules/verify_secrets_engines/scripts/ssh-verify-signed-key.sh

#!/usr/bin/env bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1

set -e

fail() {
  echo "$1" 1>&2
  exit 1
}

[[ -z "$ROLE_NAME" ]] && fail "ROLE_NAME env variable has not been set"
[[ -z "$PUBLIC_KEY_PATH" ]] && fail "PUBLIC_KEY_PATH env variable has not been set"
[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set"
[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set"
[[ -z "$VAULT_INSTALL_DIR" ]] && fail "VAULT_INSTALL_DIR env variable has not been set"

binpath=${VAULT_INSTALL_DIR}/vault
test -x "$binpath" || fail "unable to locate vault binary at $binpath"

export VAULT_FORMAT=json
if ! signed_key_output=$("$binpath" write -field=signed_key ssh/sign/"$ROLE_NAME" public_key=@"$PUBLIC_KEY_PATH" 2>&1); then
  fail "failed to sign SSH key: $signed_key_output"
fi

echo "Signed SSH key obtained successfully."