genvid.toolbox.VaultTool¶
Warning
This is a beta version of the API and is likely to change in future releases.
-
class
genvid.toolbox.
VaultTool
(vault_policies_folder: str = '', vault_roles_folder: str = '', vault_token_file: str = '', vault_keys_file: str = '', use_wan: bool = False, **kwargs)¶ Bases:
genvid.toolbox.consul.ConsulTool
A class for interfacing with Vault.
Warning: This is a beta implementation of the class. Changed in version 1.16.0: The environment variables now take precedence over the content of the Vault files.
Changed in version 1.20.0: Now, have a use_wan parameter to replace the service address with the TaggedAddress “wan”. The default is now to use the internal registered address.
-
NAME
= 'Vault'¶
-
DESCRIPTION
= 'A tool for interfacing with Vault.'¶
-
VAULT_TOKEN_FILE
= None¶ The save location for the Vault token. Defaults to
~/.vault-token
.
-
VAULT_KEYS_FILE
= None¶ The save location of the Vault keys. Defaults to file:~/.vault-keys.
-
VAULT_TOKEN
= None¶ A mirror of
VAULT_TOKEN
containing the Vault token used for authentication.
-
VAULT_KEYS
= None¶ A mirror of
VAULT_KEYS
containing the comma-delimited Vault seal keys.
-
VAULT_ADDR
= None¶ A mirror of
VAULT_ADDR
containing the Vault service address (including the protocol).
-
GENVID_VAULT_POLICIES_FOLDER
= None¶ A mirror of
GENVID_VAULT_POLICIES_FOLDER
pointing to a folder containing Vault policies.
-
GENVID_VAULT_TOKEN_ROLES_FOLDER
= None¶ A mirror of
GENVID_VAULT_TOKEN_ROLES_FOLDER
pointing to a folder containing Vault token roles.
-
get_vault_client_addr
(timeout: float = 30.0, passing: bool = True)¶ Return the Vault server address.
Changed in version 1.20.0:
use_wan
parameter is now removed to favor the use_wan passed at construction.
-
get_vault_client_url
(timeout: float = 0, use_https: bool = False, passing: bool = True)¶ Return the Vault server URL.
Changed in version 1.20.0:
use_wan
parameter is now removed to favor the use_wan passed at construction.
-
vault
¶ The Vault client.
-
init_vault_client
(timeout: float = 30.0, passing: bool = True)¶ Initialize the Vault client.
The client uses
VAULT_ADDR
for initialization. If it’s empty, it queries the discovery service for a Vault service andVAULT_ADDR
is set appropriately.Parameters: timeout – The timeout for the service query in seconds.
-
vault_load_policies
(folder: typing.Union[str, NoneType] = None)¶ Load policies from a specified folder.
Policies should have an .hcl extension. The name of the policy is the base name of the file without the extension.
Parameters: folder – The folder to lookup. Uses GENVID_VAULT_POLICIES_FOLDER
if None.
-
vault_load_token_roles
(folder: typing.Union[str, NoneType] = None)¶ Load token roles from a specified folder.
Policies should have a .json extension containing the properties of the role. The folder uses the base filename minus the extension if no name is specified.
Parameters: folder – The folder to look up. Uses GENVID_VAULT_TOKEN_ROLES_FOLDER
if None.
-
vault_setup
()¶ Set up Vault if not initialized.
-
refresh_token
(force: bool = False)¶ Refresh the Vault information.
param force: force changing the variable, even if a value is already set.
Changed in version 1.16.0: Add the force param and don’t override if already set.
-
init_vault
(key_shares=1, key_threshold=1)¶ Initialize a Vault.
This method sets the
VAULT_TOKEN
andVAULT_KEYS
environment variables on success, overriding any values already present.
-
auth_vault
(token=None)¶ Authorize the Vault client.
param token: Token for vault operations. If
None
, usesVAULT_TOKEN
.Changed in version 1.16.0: Add the optional token param.
-
unseal_vault
(timeout: float = 30.0)¶ Unseal Vault with the
VAULT_KEYS
.
-
create_vault_token
(*, role=None, orphan=False, wrap_ttl=None, **properties)¶ Create a new token with the properties specified.
-
save_vault_token
()¶ Save Vault token in the home folder.
-
save_vault_keys
()¶ Save Vault keys in the home folder.
-
load_vault_token
() → str¶ Load the vault keys from
VAULT_TOKEN_FILE
-
load_vault_keys
() → str¶ Load the vault keys from
VAULT_KEYS_FILE
-
clear_vault_files
()¶ Clear Vault secret files.
-
create_vault_token_role
(role, *, wrap_ttl=None, **properties)¶ Create a new token role with the properties specified.
-
-
class
vault.
VaultTool
¶ Implementation of
genvid.toolbox.VaultTool