genvid.toolbox.VaultTool

Warning

This is a beta version of the API and is likely to change in future releases.

class genvid.toolbox.VaultTool(vault_policies_folder: str = '', vault_roles_folder: str = '', vault_token_file: str = '', vault_keys_file: str = '', **kwargs)

Bases: genvid.toolbox.consul.ConsulTool

A class for interfacing with Vault.

Warning:This is a beta implementation of the class.

Changed in version 1.16.0: The environment variables now take precedence over the content of the Vault files.

DESCRIPTION = 'A tool for interfacing with Vault.'

GENVID_VAULT_POLICIES_FOLDER = None

A mirror of GENVID_VAULT_POLICIES_FOLDER pointing to a folder containing Vault policies.

GENVID_VAULT_TOKEN_ROLES_FOLDER = None

A mirror of GENVID_VAULT_TOKEN_ROLES_FOLDER pointing to a folder containing Vault token roles.

NAME = 'Vault'

VAULT_ADDR = None

A mirror of VAULT_ADDR containing the Vault service address (including the protocol).

VAULT_KEYS = None

A mirror of VAULT_KEYS containing the comma-delimited Vault seal keys.

VAULT_KEYS_FILE = None

The save location of the Vault keys. Defaults to file:~/.vault-keys.

VAULT_TOKEN = None

A mirror of VAULT_TOKEN containing the Vault token used for authentication.

VAULT_TOKEN_FILE = None

The save location for the Vault token. Defaults to ~/.vault-token.

auth_vault(token=None)

Authorize the Vault client.

param token: Token for vault operations. If None, uses VAULT_TOKEN.

Changed in version 1.16.0: Add the optional token param.

clear_vault_files()

Clear Vault secret files.

create_vault_token(*, role=None, orphan=False, wrap_ttl=None, **properties)

Create a new token with the properties specified.

create_vault_token_role(role, *, wrap_ttl=None, **properties)

Create a new token role with the properties specified.

get_vault_client_addr(timeout: float = 30.0, use_wan: bool = False, passing: bool = True)

Return the Vault server address.

get_vault_client_url(timeout: float = 0, use_https: bool = False, use_wan: bool = False, passing: bool = True)

Return the Vault server URL.

init_vault(key_shares=1, key_threshold=1)

Initialize a Vault.

This method sets the VAULT_TOKEN and VAULT_KEYS environment variables on success, overriding any values already present.

init_vault_client(timeout: float = 30.0, passing: bool = True)

Initialize the Vault client.

The client uses VAULT_ADDR for initialization. If it’s empty, it queries the discovery service for a Vault service and VAULT_ADDR is set appropriately.

Parameters:timeout – The timeout for the service query in seconds.

load_vault_keys() → str

Load the vault keys from VAULT_KEYS_FILE

load_vault_token() → str

Load the vault keys from VAULT_TOKEN_FILE

refresh_token(force: bool = False)

Refresh the Vault information.

param force: force changing the variable, even if a value is already set.

Changed in version 1.16.0: Add the force param and don’t override if already set.

save_vault_keys()

Save Vault keys in the home folder.

save_vault_token()

Save Vault token in the home folder.

unseal_vault(timeout: float = 30.0)

Unseal Vault with the VAULT_KEYS.

vault

The Vault client.

vault_load_policies(folder: typing.Union[str, NoneType] = None)

Load policies from a specified folder.

Policies should have an .hcl extension. The name of the policy is the base name of the file without the extension.

Parameters:folder – The folder to lookup. Uses GENVID_VAULT_POLICIES_FOLDER if None.

vault_load_token_roles(folder: typing.Union[str, NoneType] = None)

Load token roles from a specified folder.

Policies should have a .json extension containing the properties of the role. The folder uses the base filename minus the extension if no name is specified.

Parameters:folder – The folder to look up. Uses GENVID_VAULT_TOKEN_ROLES_FOLDER if None.

vault_setup()

Set up Vault if not initialized.

class vault.VaultTool

Implementation of genvid.toolbox.VaultTool