Skip to content

Commit 3173990

Browse files
author
Jeffrey Hogan
committed
Break up examples
1 parent bd5843a commit 3173990

File tree

10 files changed

+234
-180
lines changed

10 files changed

+234
-180
lines changed

docs/examples/approle_auth_method.rst

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
Approle Auth Method
2+
===================
3+
4+
Authentication
5+
--------------
6+
7+
.. code:: python
8+
9+
client.auth_approle('MY_ROLE_ID', 'MY_SECRET_ID')

docs/examples/audit.rst

Lines changed: 0 additions & 14 deletions
This file was deleted.

docs/examples/aws.rst

Lines changed: 17 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,23 @@
11
AWS Authentication Backend
2-
--------------------------
2+
==========================
33

4-
To be filled in.
4+
Authentication
5+
--------------
6+
7+
IAM authentication method:
8+
9+
.. code:: python
10+
11+
client.auth_aws_iam('MY_AWS_ACCESS_KEY_ID', 'MY_AWS_SECRET_ACCESS_KEY')
12+
client.auth_aws_iam('MY_AWS_ACCESS_KEY_ID', 'MY_AWS_SECRET_ACCESS_KEY', 'MY_AWS_SESSION_TOKEN')
13+
client.auth_aws_iam('MY_AWS_ACCESS_KEY_ID', 'MY_AWS_SECRET_ACCESS_KEY', role='MY_ROLE')
14+
15+
import boto3
16+
session = boto3.Session()
17+
credentials = session.get_credentials()
18+
client.auth_aws_iam(credentials.access_key, credentials.secret_key, credentials.token)
519
620
AWS Secret Backend
7-
------------------
21+
==================
822

923
To be filled in.

docs/examples/examples.rst

Lines changed: 6 additions & 131 deletions
Original file line numberDiff line numberDiff line change
@@ -4,61 +4,27 @@ Examples
44
.. toctree::
55
:maxdepth: 4
66

7-
audit
7+
system_backend
8+
token_auth_method
89
aws
9-
sys
10+
gcp
11+
kubernetes_auth_method
12+
approle_auth_method
13+
ldap_auth_method
1014

1115

1216
Authenticate to different auth backends
1317
---------------------------------------
1418

1519
.. code:: python
1620
17-
# Token
18-
client.token = 'MY_TOKEN'
19-
assert client.is_authenticated() # => True
2021
2122
# App ID
2223
client.auth_app_id('MY_APP_ID', 'MY_USER_ID')
2324
24-
# App Role
25-
client.auth_approle('MY_ROLE_ID', 'MY_SECRET_ID')
26-
27-
# AWS (IAM)
28-
client.auth_aws_iam('MY_AWS_ACCESS_KEY_ID', 'MY_AWS_SECRET_ACCESS_KEY')
29-
client.auth_aws_iam('MY_AWS_ACCESS_KEY_ID', 'MY_AWS_SECRET_ACCESS_KEY', 'MY_AWS_SESSION_TOKEN')
30-
client.auth_aws_iam('MY_AWS_ACCESS_KEY_ID', 'MY_AWS_SECRET_ACCESS_KEY', role='MY_ROLE')
31-
32-
import boto3
33-
session = boto3.Session()
34-
credentials = session.get_credentials()
35-
client.auth_aws_iam(credentials.access_key, credentials.secret_key, credentials.token)
36-
3725
# GitHub
3826
client.auth_github('MY_GITHUB_TOKEN')
3927
40-
# GCP (from GCE instance)
41-
import requests
42-
43-
VAULT_ADDR="https://vault.example.com:8200"
44-
ROLE="example"
45-
AUDIENCE_URL = VAULT_ADDR + "/vault/" + ROLE
46-
METADATA_HEADERS = {'Metadata-Flavor': 'Google'}
47-
FORMAT = 'full'
48-
49-
url = 'http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience={}&format={}'.format(AUDIENCE_URL, FORMAT)
50-
r = requests.get(url, headers=METADATA_HEADERS)
51-
client.auth_gcp(ROLE, r.text)
52-
53-
# Kubernetes (from k8s pod)
54-
f = open('/var/run/secrets/kubernetes.io/serviceaccount/token')
55-
jwt = f.read()
56-
client.auth_kubernetes("example", jwt)
57-
58-
# LDAP, Username & Password
59-
client.auth_ldap('MY_USERNAME', 'MY_PASSWORD')
60-
client.auth_userpass('MY_USERNAME', 'MY_PASSWORD')
61-
6228
# TLS
6329
client = Client(cert=('path/to/cert.pem', 'path/to/key.pem'))
6430
client.auth_tls()
@@ -81,94 +47,3 @@ Authenticate to different auth backends
8147
8248
# Logout
8349
client.logout()
84-
85-
Manage tokens
86-
-------------
87-
88-
.. code:: python
89-
90-
token = client.create_token(policies=['root'], lease='1h')
91-
92-
current_token = client.lookup_token()
93-
some_other_token = client.lookup_token('xxx')
94-
95-
client.revoke_token('xxx')
96-
client.revoke_token('yyy', orphan=True)
97-
98-
client.revoke_token_prefix('zzz')
99-
100-
client.renew_token('aaa')
101-
102-
Managing tokens using accessors
103-
-------------------------------
104-
105-
.. code:: python
106-
107-
token = client.create_token(policies=['root'], lease='1h')
108-
token_accessor = token['auth']['accessor']
109-
110-
same_token = client.lookup_token(token_accessor, accessor=True)
111-
client.revoke_token(token_accessor, accessor=True)
112-
113-
Wrapping/unwrapping a token
114-
---------------------------
115-
116-
.. code:: python
117-
118-
wrap = client.create_token(policies=['root'], lease='1h', wrap_ttl='1m')
119-
result = self.client.unwrap(wrap['wrap_info']['token'])
120-
121-
Manipulate auth backends
122-
------------------------
123-
124-
.. code:: python
125-
126-
backends = client.list_auth_backends()
127-
128-
client.enable_auth_backend('userpass', mount_point='customuserpass')
129-
client.disable_auth_backend('github')
130-
131-
Manipulate secret backends
132-
--------------------------
133-
134-
.. code:: python
135-
136-
backends = client.list_secret_backends()
137-
138-
client.enable_secret_backend('aws', mount_point='aws-us-east-1')
139-
client.disable_secret_backend('mysql')
140-
141-
client.tune_secret_backend('generic', mount_point='test', default_lease_ttl='3600s', max_lease_ttl='8600s')
142-
client.get_secret_backend_tuning('generic', mount_point='test')
143-
144-
client.remount_secret_backend('aws-us-east-1', 'aws-east')
145-
146-
Manipulate policies
147-
-------------------
148-
149-
.. code:: python
150-
151-
policies = client.list_policies() # => ['root']
152-
153-
policy = """
154-
path "sys" {
155-
policy = "deny"
156-
}
157-
158-
path "secret" {
159-
policy = "write"
160-
}
161-
162-
path "secret/foo" {
163-
policy = "read"
164-
}
165-
"""
166-
167-
client.set_policy('myapp', policy)
168-
169-
client.delete_policy('oldthing')
170-
171-
policy = client.get_policy('mypolicy')
172-
173-
# Requires pyhcl to automatically parse HCL into a Python dictionary
174-
policy = client.get_policy('mypolicy', parse=True)

docs/examples/gcp.rst

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
GCP Auth Backend
2+
================
3+
4+
Authentication
5+
--------------
6+
7+
.. code:: python
8+
9+
# GCP (from GCE instance)
10+
import requests
11+
12+
VAULT_ADDR="https://vault.example.com:8200"
13+
ROLE="example"
14+
AUDIENCE_URL = VAULT_ADDR + "/vault/" + ROLE
15+
METADATA_HEADERS = {'Metadata-Flavor': 'Google'}
16+
FORMAT = 'full'
17+
18+
url = 'http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience={}&format={}'.format(AUDIENCE_URL, FORMAT)
19+
r = requests.get(url, headers=METADATA_HEADERS)
20+
client.auth_gcp(ROLE, r.text)
21+
22+
GCP Secret Backend
23+
==================
24+
25+
To be filled in.

docs/examples/kubernetes_auth_method.rst

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
Kubernetes Auth Backend
2+
=======================
3+
4+
Authentication
5+
--------------
6+
7+
.. code:: python
8+
9+
# Kubernetes (from k8s pod)
10+
f = open('/var/run/secrets/kubernetes.io/serviceaccount/token')
11+
jwt = f.read()
12+
client.auth_kubernetes("example", jwt)

docs/examples/ldap_auth_method.rst

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
LDAP Auth Backend
2+
=================
3+
4+
Authentication
5+
--------------
6+
7+
.. code:: python
8+
9+
# LDAP, Username & Password
10+
client.auth_ldap('MY_USERNAME', 'MY_PASSWORD')
11+
client.auth_userpass('MY_USERNAME', 'MY_PASSWORD')

docs/examples/sys.rst

Lines changed: 0 additions & 32 deletions
This file was deleted.

0 commit comments

Comments
 (0)