1- # HVAC
1+ # hvac
22
33[ HashiCorp] ( https://hashicorp.com/ ) [ Vault] ( https://www.vaultproject.io ) API client for Python 2/3
44
5- [ ![ Travis CI] ( https://travis-ci.org/ianunruh/hvac.svg?branch=master )] ( https://travis-ci.org/ianunruh/hvac ) [ ![ Latest Version] ( https://img.shields.io/pypi/v/hvac.svg )] ( https://pypi.python.org/pypi/hvac/ )
5+ [ ![ Travis CI] ( https://travis-ci.org/ianunruh/hvac.svg?branch=master )] ( https://travis-ci.org/ianunruh/hvac ) [ ![ Latest Version] ( https://img.shields.io/pypi/v/hvac.svg )] ( https://pypi.python.org/pypi/hvac/ ) [ ![ Documentation Status ] ( //readthedocs.org/projects/hvac/badge/?version=latest )] ( https://hvac.readthedocs.io/en/docs/?badge=latest )
66
77Tested against Vault v0.1.2 and HEAD. Requires v0.1.2 or later.
88
@@ -35,11 +35,8 @@ client = hvac.Client(url='http://localhost:8200', token=os.environ['VAULT_TOKEN'
3535client = hvac.Client(url = ' https://localhost:8200'
3636
3737# Using TLS with client-side certificate authentication
38- client = hvac.Client(url = ' https://localhost:8200'
39- cert = (' path/to/cert.pem' ' path/to/key.pem'
38+ client = hvac.Client(url = ' https://localhost:8200' cert = (' path/to/cert.pem' ' path/to/key.pem'
4039
41- # Skipping TLS verification entirely (should only be used for local development; unsafe for production clusters)
42- client = hvac.Client(url = ' https://localhost:8200' verify = False )
4340```
4441
4542### Read and write to secret backends
@@ -52,218 +49,16 @@ print(client.read('secret/foo'))
5249client.delete(' secret/foo'
5350```
5451
55- ### Authenticate to different auth backends
52+ ### Authenticate using token auth backend
5653
5754``` python
5855# Token
5956client.token = ' MY_TOKEN'
6057assert client.is_authenticated() # => True
61-
62- # App ID
63- client.auth_app_id(' MY_APP_ID' ' MY_USER_ID'
64-
65- # App Role
66- client.auth_approle(' MY_ROLE_ID' ' MY_SECRET_ID'
67-
68- # AWS (IAM)
69- client.auth_aws_iam(' MY_AWS_ACCESS_KEY_ID' ' MY_AWS_SECRET_ACCESS_KEY'
70- client.auth_aws_iam(' MY_AWS_ACCESS_KEY_ID' ' MY_AWS_SECRET_ACCESS_KEY' ' MY_AWS_SESSION_TOKEN'
71- client.auth_aws_iam(' MY_AWS_ACCESS_KEY_ID' ' MY_AWS_SECRET_ACCESS_KEY' role = ' MY_ROLE'
72-
73- import boto3
74- session = boto3.Session()
75- credentials = session.get_credentials()
76- client.auth_aws_iam(credentials.access_key, credentials.secret_key, credentials.token)
77-
78- # GitHub
79- client.auth_github(' MY_GITHUB_TOKEN'
80-
81- # GCP (from GCE instance)
82- import requests
83-
84- VAULT_ADDR = " https://vault.example.com:8200"
85- ROLE = " example"
86- AUDIENCE_URL = VAULT_ADDR + " /vault/" + ROLE
87- METADATA_HEADERS = {' Metadata-Flavor' ' Google'
88- FORMAT = ' full'
89-
90- url = ' http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience={} &format={} ' AUDIENCE_URL , FORMAT )
91- r = requests.get(url, headers = METADATA_HEADERS )
92- client.auth_gcp(ROLE , r.text)
93-
94- # Kubernetes (from k8s pod)
95- f = open (' /var/run/secrets/kubernetes.io/serviceaccount/token'
96- jwt = f.read()
97- client.auth_kubernetes(" example"
98-
99- # LDAP, Username & Password
100- client.auth_ldap(' MY_USERNAME' ' MY_PASSWORD'
101- client.auth_userpass(' MY_USERNAME' ' MY_PASSWORD'
102-
103- # TLS
104- client = Client(cert = (' path/to/cert.pem' ' path/to/key.pem'
105- client.auth_tls()
106-
107- # Non-default mount point (available on all auth types)
108- client.auth_userpass(' MY_USERNAME' ' MY_PASSWORD' mount_point = ' CUSTOM_MOUNT_POINT'
109-
110- # Authenticating without changing to new token (available on all auth types)
111- result = client.auth_github(' MY_GITHUB_TOKEN' use_token = False )
112- print (result[' auth' ' client_token' # => u'NEW_TOKEN'
113-
114- # Custom or unsupported auth type
115- params = {
116- ' username' ' MY_USERNAME'
117- ' password' ' MY_PASSWORD'
118- ' custom_param' ' MY_CUSTOM_PARAM'
119- }
120-
121- result = client.auth(' /v1/auth/CUSTOM_AUTH/login' json = params)
122-
123- # Logout
124- client.logout()
125- ```
126-
127- ### Manage tokens
128-
129- ``` python
130- token = client.create_token(policies = [' root' lease = ' 1h'
131-
132- current_token = client.lookup_token()
133- some_other_token = client.lookup_token(' xxx'
134-
135- client.revoke_token(' xxx'
136- client.revoke_token(' yyy' orphan = True )
137-
138- client.revoke_token_prefix(' zzz'
139-
140- client.renew_token(' aaa'
141- ```
142-
143- ### Managing tokens using accessors
144-
145- ``` python
146- token = client.create_token(policies = [' root' lease = ' 1h'
147- token_accessor = token[' auth' ' accessor'
148-
149- same_token = client.lookup_token(token_accessor, accessor = True )
150- client.revoke_token(token_accessor, accessor = True )
151- ```
152-
153- ### Wrapping/unwrapping a token
154-
155- ``` python
156- wrap = client.create_token(policies = [' root' lease = ' 1h' wrap_ttl = ' 1m'
157- result = self .client.unwrap(wrap[' wrap_info' ' token'
158- ```
159-
160- ### Manipulate auth backends
161-
162- ``` python
163- backends = client.list_auth_backends()
164-
165- client.enable_auth_backend(' userpass' mount_point = ' customuserpass'
166- client.disable_auth_backend(' github'
16758```
16859
169- ### Manipulate secret backends
170-
171- ``` python
172- backends = client.list_secret_backends()
173-
174- client.enable_secret_backend(' aws' mount_point = ' aws-us-east-1'
175- client.disable_secret_backend(' mysql'
176-
177- client.tune_secret_backend(' generic' mount_point = ' test' default_lease_ttl = ' 3600s' max_lease_ttl = ' 8600s'
178- client.get_secret_backend_tuning(' generic' mount_point = ' test'
179-
180- client.remount_secret_backend(' aws-us-east-1' ' aws-east'
181- ```
182-
183- ### Manipulate policies
184-
185- ``` python
186- policies = client.list_policies() # => ['root']
187-
188- policy = """
189- path "sys" {
190- policy = "deny"
191- }
192-
193- path "secret" {
194- policy = "write"
195- }
196-
197- path "secret/foo" {
198- policy = "read"
199- }
200- """
201-
202- client.set_policy(' myapp'
203-
204- client.delete_policy(' oldthing'
205-
206- policy = client.get_policy(' mypolicy'
207-
208- # Requires pyhcl to automatically parse HCL into a Python dictionary
209- policy = client.get_policy(' mypolicy' parse = True )
210- ```
211-
212- ### Manipulate audit backends
213-
214- ``` python
215- backends = client.list_audit_backends()
216-
217- options = {
218- ' path' ' /tmp/vault.log'
219- ' log_raw' True ,
220- }
221-
222- client.enable_audit_backend(' file' options = options, name = ' somefile'
223- client.disable_audit_backend(' oldfile'
224- ```
225-
226- ### Initialize and seal/unseal
227-
228- ``` python
229- print (client.is_initialized()) # => False
230-
231- shares = 5
232- threshold = 3
233-
234- result = client.initialize(shares, threshold)
235-
236- root_token = result[' root_token'
237- keys = result[' keys'
238-
239- print (client.is_initialized()) # => True
240-
241- print (client.is_sealed()) # => True
242-
243- # unseal with individual keys
244- client.unseal(keys[0 ])
245- client.unseal(keys[1 ])
246- client.unseal(keys[2 ])
247-
248- # unseal with multiple keys until threshold met
249- client.unseal_multi(keys)
250-
251- print (client.is_sealed()) # => False
252-
253- client.seal()
254-
255- print (client.is_sealed()) # => True
256- ```
257-
258- ## Testing
259-
260- Integration tests will automatically start a Vault server in the background. Just make sure
261- the latest ` vault ` binary is available in your ` PATH ` .
60+ ## Contributing
26261
263- 1 . [ Install Vault] ( https://vaultproject.io/docs/install/index.html ) or execute ` VAULT_BRANCH=release scripts/install-vault-release.sh `
264- 2 . [ Install Tox] ( http://tox.readthedocs.org/en/latest/install.html )
265- 3 . Run tests: ` make test `
62+ See [ CONTRIBUTING.md] ( CONTRIBUTING.md ) .
26663
267- ## Contributing
26864
269- Feel free to open pull requests with additional features or improvements!
0 commit comments