Name: hvac
Owner: Reddit
Description: :lock: Python 2/3 client for HashiCorp Vault
Forked from: ianunruh/hvac
Created: 2017-04-06 21:38:18.0
Updated: 2018-04-18 08:15:06.0
Pushed: 2017-05-31 07:02:48.0
Size: 158
Language: Python
GitHub Committers
User | Most Recent Commit | # Commits |
---|
Other Committers
User | Most Recent Commit | # Commits |
---|
HashiCorp Vault API client for Python 2/3
Tested against Vault v0.1.2 and HEAD. Requires v0.1.2 or later.
install hvac
or
install hvac[parser]
if you would like to be able to return parsed HCL data as a Python dict for methods that support it.
rt os
rt hvac
ing plaintext
nt = hvac.Client()
nt = hvac.Client(url='http://localhost:8200')
nt = hvac.Client(url='http://localhost:8200', token=os.environ['VAULT_TOKEN'])
ing TLS
nt = hvac.Client(url='https://localhost:8200')
ing TLS with client-side certificate authentication
nt = hvac.Client(url='https://localhost:8200',
cert=('path/to/cert.pem', 'path/to/key.pem'))
nt.write('secret/foo', baz='bar', lease='1h')
t(client.read('secret/foo'))
nt.delete('secret/foo')
ken
nt.token = 'MY_TOKEN'
rt client.is_authenticated() # => True
p ID
nt.auth_app_id('MY_APP_ID', 'MY_USER_ID')
p Role
nt.auth_approle('MY_ROLE_ID', 'MY_SECRET_ID')
tHub
nt.auth_github('MY_GITHUB_TOKEN')
AP, Username & Password
nt.auth_ldap('MY_USERNAME', 'MY_PASSWORD')
nt.auth_userpass('MY_USERNAME', 'MY_PASSWORD')
S
nt = Client(cert=('path/to/cert.pem', 'path/to/key.pem'))
nt.auth_tls()
n-default mount point (available on all auth types)
nt.auth_userpass('MY_USERNAME', 'MY_PASSWORD', mount_point='CUSTOM_MOUNT_POINT')
thenticating without changing to new token (available on all auth types)
lt = client.auth_github('MY_GITHUB_TOKEN', use_token=False)
t(result['auth']['client_token']) # => u'NEW_TOKEN'
stom or unsupported auth type
ms = {
'username': 'MY_USERNAME',
'password': 'MY_PASSWORD',
'custom_param': 'MY_CUSTOM_PARAM',
lt = client.auth('/v1/auth/CUSTOM_AUTH/login', json=params)
gout
nt.logout()
n = client.create_token(policies=['root'], lease='1h')
ent_token = client.lookup_token()
_other_token = client.lookup_token('xxx')
nt.revoke_token('xxx')
nt.revoke_token('yyy', orphan=True)
nt.revoke_token_prefix('zzz')
nt.renew_token('aaa')
n = client.create_token(policies=['root'], lease='1h')
n_accessor = token['auth']['accessor']
_token = client.lookup_token(token_accessor, accessor=True)
nt.revoke_token(token_accessor, accessor=True)
= client.create_token(policies=['root'], lease='1h', wrap_ttl='1m')
lt = self.client.unwrap(wrap['wrap_info']['token'])
ends = client.list_auth_backends()
nt.enable_auth_backend('userpass', mount_point='customuserpass')
nt.disable_auth_backend('github')
ends = client.list_secret_backends()
nt.enable_secret_backend('aws', mount_point='aws-us-east-1')
nt.disable_secret_backend('mysql')
nt.remount_secret_backend('aws-us-east-1', 'aws-east')
cies = client.list_policies() # => ['root']
cy = """
"sys" {
licy = "deny"
"secret" {
licy = "write"
"secret/foo" {
licy = "read"
nt.set_policy('myapp', policy)
nt.delete_policy('oldthing')
cy = client.get_policy('mypolicy')
quires pyhcl to automatically parse HCL into a Python dictionary
cy = client.get_policy('mypolicy', parse=True)
ends = client.list_audit_backends()
ons = {
'path': '/tmp/vault.log',
'log_raw': True,
nt.enable_audit_backend('file', options=options, name='somefile')
nt.disable_audit_backend('oldfile')
t(client.is_initialized()) # => False
es = 5
shold = 3
lt = client.initialize(shares, threshold)
_token = result['root_token']
= result['keys']
t(client.is_initialized()) # => True
t(client.is_sealed()) # => True
seal with individual keys
nt.unseal(keys[0])
nt.unseal(keys[1])
nt.unseal(keys[2])
seal with multiple keys until threshold met
nt.unseal_multi(keys)
t(client.is_sealed()) # => False
nt.seal()
t(client.is_sealed()) # => True
Integration tests will automatically start a Vault server in the background. Just make sure
the latest vault
binary is available in your PATH
.
Feel free to open pull requests with additional features or improvements!