Setting Up Universal Identity for Windows Machines

Suggest Edits

To use Universal Identity tokens for a Windows machine, you need to set up the machine to accept and renew tokens.

  1. On the Windows machine, create the following PowerShell script, where C:\Users\Administrator is replaced with the home directory of the user for which the token is used. Save the script as akeyless_universal_identity_token_rotator.ps1.
# akeyless_universal_identity_token_rotator.ps1

$base_dir = "$HOME" # replace with home directory of user
$proxy_url = "https://rest.akeyless-security.com/"
$token_file = "$base_dir/.vault-token"
$cur_token = Get-Content -Path $token_file

if (Test-Path alias:curl) {
    Remove-item alias:curl # to avoid conflict with CmdLet Invoke-WebRequest
}

$curl_output = (curl -s -d "cmd=rotate-token&token=$cur_token" $proxy_url)
$res = $curl_output | Select-String 'ROTATED TOKEN:' | Out-String

$token = ($res.Split(" "))[6].Trim().Trim("[", " ").Replace("]`"","")

Write-Host "NEW TOKEN: [$token]"
if([string]::IsNullOrEmpty($token)) {
    Write-Host "Error! empty token"
} else {
    $token | Out-File $token_file
}
  1. Set up a running task using the following settings:
  1. Create the following PowerShell script, and save it as akeyless_init_universal_identity.ps1 in the same folder as the other script:
# akeyless_init_universal_identity.ps1

Param(
    # Parameter help description
    [Parameter(Mandatory = $true)]
    [string]
    $AccessID,

    # Parameter help description
    [Parameter(Mandatory = $true)]
    [securestring]
    $AccessKey = (Read-Host -Prompt "Access Key" -AsSecureString)
)

$proxy_url       = "https://rest.akeyless-security.com/"
$sched_task_name = "akeyless_universal_identity_rotator"
$token_file      = "$HOME/.vault-token"

[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072

$body = @{
    cmd          = 'configure'
    'access-id'  = $AccessID
    'access-key' = $AccessKey
}

$token = (Invoke-RestMethod -Method Post -Uri $proxy_url -Body $body -ContentType 'application/x-www-form-urlencoded').token
$body.Clear()
Write-Host "Starter token received [$token]"

if([string]::IsNullOrEmpty($token)) {
    Write-Host "Error! empty token"
} else {
    $token | Out-File $token_file
    $script_name = "akeyless_universal_identity_token_rotator.ps1"
    $script_path = "$(Get-Item -Path ".\")\${script_name}"
    $task_to_run = "powershell -noninteractive -File ${script_path}"

    if (schtasks /query | Select-String $sched_task_name -Quiet) # if sched_task already running, delete it first
    {
        schtasks /delete /tn $sched_task_name /f
    }
    # run sched task every minute
    schtasks /create /sc MINUTE /tn $sched_task_name /tr $task_to_run /it /mo 1
    #schtasks /create /sc MINUTE /tn $sched_task_name /tr $task_to_run /ru "SYSTEM" /mo 1

    Write-Host "AKEYLESS Universal Identity successfully initiated"
}
  1. Open Powershell as an administrator, and use the following command to run the script, where the value of AccessID is your Akeyless access ID.
./akeyless_init_universal_identity.ps1 -AccessID <your access ID> -Init

Updated 6 months ago

Did this page help you?