Secret¶

class SecretEndpoint(req_handler)¶

task items()¶

Lists all the mounted secret backends

Returns:	SecretCollection

__getattr__(type)¶: Shortcut for type loading

load(name, *, type=None)¶

Get a backend by its name

Parameters:	name (str) – The backed name type (str) – The name of the backend type, such as `aws`
Returns:	SecretBackend

task mount(name, *, type=None, description=None)¶

Load and mount a new secret backend

Parameters:	name (str) – The name of mount type (str) – The name of the backend type, such as `aws` description (str) – A human-friendly description of the mount
Returns:	(bool, SecretBackend)

task unmount(name)¶

Unmount a secret backend

Parameters:	name (str) – The name of mounted backend
Returns:	bool

task remount(src, dest)¶

Move the secret backend

Parameters:	src (str) – The endpoint to be moved dest (str) – The new endpoint
Returns:	bool

Backends¶

class AWSBackend(name, type, req_handler)¶

The AWS backend dynamically generates AWS access keys for a set of IAM policies. The AWS access keys have a configurable lease set and are automatically revoked at the end of the lease.

After mounting this backend, credentials to generate IAM keys must be configured with the “root” path and policies must be written using the “roles/” endpoints before any access keys can be generated.

task config_root(*, access_key, secret_key, region=None)¶

Configures the root IAM credentials used.

Before doing anything, the AWS backend needs credentials that are able to manage IAM policies, users, access keys, etc. This endpoint is used to configure those credentials. They don’t necessarilly need to be root keys as long as they have permission to manage IAM:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1432042359000",
            "Effect": "Allow",
            "Action": [
                "iam:CreateUser",
                "iam:PutUserPolicy",
                "iam:CreateAccessKey"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Parameters:	access_key (str) – Access key with permission to create new keys secret_key (str) – Secret key with permission to create new keys region (str) – The region for API calls
Returns:	bool

task config_lease(*, lease, lease_max)¶

Configures the lease settings for generated credentials.

This configures the default lease information used for credentials generated by this backend. The lease specifies the duration that a credential will be valid for, as well as the maximum session for a set of credentials.

The format for the lease is “1h” or integer and then unit. The longest unit is hour.

Parameters:	lease (str) – The lease value provided as a string duration with time suffix. Hour is the largest suffix. lease_max (str) – The maximum lease value provided as a string duration with time suffix. Hour is the largest suffix.
Returns:	bool

task write_role(name, *, policy)¶

Write named role.

This path allows you to read and write roles that are used to create access keys. These roles have IAM policies that map directly to the route to read the access keys. For example, if the backend is mounted at “aws” and you create a role at “aws/roles/deploy” then a user could request access credentials at “aws/creds/deploy”.

The policies written are normal IAM policies. Vault will not attempt to parse these except to validate that they’re basic JSON. To validate the keys, attempt to read an access key after writing the policy.

Parameters:	name (str) – The role name. policy (obj) – The IAM policy.
Returns:	bool

task read_role(name)¶

Read a named role.

Parameters:	name (str) – The role name.
Returns:	Value

task delete_role(name)¶

Delete a named role.

Parameters:	name (str) – The role name.
Returns:	bool

task creds(name)¶

Generates a dynamic IAM credential based on the named role.

Parameters:	name (str) – The role name.
Returns:	Value

mount(*, name=None, description=None)¶

Mount a new secret backend

Parameters:	name (str) – The new endpoint description (str) – A human-friendly description of the mount

remount(dest)¶

Move the secret backend

Parameters:	dest (str) – The new endpoint

unmount()¶: Unmount the secret backend

class ConsulBackend(name, type, req_handler)¶

task config_access(address, token)¶

Configures the access information for Consul.

This is a root protected endpoint.

Parameters:	address (str) – The address of the Consul instance, provided as scheme://host:port token (str) – The Consul ACL token to use. Must be a management type token.

Results:: bool

task read_role(name)¶

Queries a Consul role definition.

Parameters:	name (str) – The role name

Results:: Value

task write_role(name, *, policy, lease=None)¶

Creates or updates the Consul role definition.

Parameters:	name (str) – The role name policy (str) – The Consul ACL policy.
Returns:	bool

task delete_role(name)¶

Deletes a Consul role definition.

Parameters:	name (str) – The role name
Returns:	bool

task creds(name)¶

Generates a dynamic Consul token based on the role definition.

Parameters:	name (str) – The role name

Results:: Value

mount(*, name=None, description=None)¶

Mount a new secret backend

Parameters:	name (str) – The new endpoint description (str) – A human-friendly description of the mount

remount(dest)¶

Move the secret backend

Parameters:	dest (str) – The new endpoint

unmount()¶: Unmount the secret backend

class PostgreSQLBackend(name, type, req_handler)¶

task config_connection(*, dsn)¶

Configures the connection string used to communicate with PostgreSQL.

This is a root protected endpoint.

Parameters:	dsn (str) – The PostgreSQL connection URL or PG style string. e.g. “user=foo host=bar”

task config_lease(lease, lease_max)¶

Configures the lease settings for generated credentials.

If not configured, leases default to 1 hour. This is a root protected endpoint.

Parameters:	lease (str) – The lease value provided as a string duration with time suffix. Hour is the largest suffix. lease_max (str) – The maximum lease value provided as a string duration with time suffix. Hour is the largest suffix.

task read_role(name)¶

Queries the role definition.

Parameters:	name (str) – The role name

task write_role(name, sql)¶

Creates or updates the role definition.

Parameters:	sql (str) – The SQL statements executed to create and configure the role. Must be semi-colon separated. The ‘{{name}}’, ‘{{password}}’ and ‘{{expiration}}’ values will be substituted.

task delete_role(name)¶

Deletes the role definition.

Parameters:	name (str) – The role name

task creds(name)¶

Generates a new set of dynamic credentials based on the named role.

Parameters:	name (str) – The role name

mount(*, name=None, description=None)¶

Mount a new secret backend

Parameters:	name (str) – The new endpoint description (str) – A human-friendly description of the mount

remount(dest)¶

Move the secret backend

Parameters:	dest (str) – The new endpoint

unmount()¶: Unmount the secret backend

class MySQLBackend(name, type, req_handler)¶

The MySQL backend dynamically generates database users.

After mounting this backend, configure it using the endpoints within the “config/” path.

task config_connection(*, dsn)¶

Configure the connection string to talk to MySQL

This path configures the connection string used to connect to MySQL. The value of the string is a Data Source Name (DSN). An example is using username:password@protocol(address)/dbname?param=value.

For example, RDS may look like:

id:password@tcp(your-amazonaws-uri.com:3306)/dbname

When configuring the connection string, the backend will verify its validity.

This is a root protected endpoint.

Parameters:	dsn (str) – The MySQL DSN
Returns:	bool

task config_lease(lease, lease_max)¶

Configures the lease settings for generated credentials.

If not configured, leases default to 1 hour. This is a root protected endpoint.

Parameters:	lease (str) – The lease value provided as a string duration with time suffix. Hour is the largest suffix. lease_max (str) – The maximum lease value provided as a string duration with time suffix. Hour is the largest suffix.
Returns:	bool

task read_role(name)¶

Queries the role definition.

Parameters:	name (str) – Name of the role
Returns:	Value

task write_role(name, sql)¶

Creates or updates the role definition.

This path lets you manage the roles that can be created with this backend.

The “sql” parameter customizes the SQL string used to create the role. This can be a sequence of SQL queries, each semi-colon seperated. Some substitution will be done to the SQL string for certain keys. The names of the variables must be surrounded by “{{” and “}}” to be replaced.

Name:	The random username generated for the DB user.
Password:	The random password generated for the DB user.

Example of a decent SQL query to use:

CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';
GRANT ALL ON db1.* TO '{{name}}'@'%';

Note the above user would be able to access anything in db1. Please see the MySQL manual on the GRANT command to learn how to do more fine grained access.

Parameters:	name (str) – Name of the role sql (str) – The SQL statements executed to create and configure the role. Must be semi-colon separated.
Returns:	bool

task delete_role(name)¶

Deletes the role definition.

Parameters:	name (str) – The role name
Returns:	bool

task creds(name)¶

Generates a new set of dynamic credentials based on the named role.

This path reads database credentials for a certain role. The database credentials will be generated on demand and will be automatically revoked when the lease is up.

Parameters:	name (str) – The role name
Returns:	Value

mount(*, name=None, description=None)¶

Mount a new secret backend

Parameters:	name (str) – The new endpoint description (str) – A human-friendly description of the mount

remount(dest)¶

Move the secret backend

Parameters:	dest (str) – The new endpoint

unmount()¶: Unmount the secret backend

class TransitBackend(name, type, req_handler)¶

task read_key(name)¶

Returns information about a named encryption key.

This is a root protected endpoint.

Parameters:	name (str) – The transit key
Returns:	Value

task read_raw(name)¶

Fetch raw keys for named encryption keys.

This path is used to get the underlying encryption keys used for the named keys that are available

Parameters:	name (str) – The transit key
Returns:	Value

task write_key(name, *, derived=False)¶

Creates a new named encryption key.

This is a root protected endpoint.

Parameters:	name (str) – The transit key derived (bool) – Enables key derivation mode. This allows for per-transaction unique keys
Returns:	bool

task delete_key(name)¶

Deletes a named encryption key.

This is a root protected endpoint. All data encrypted with the named key will no longer be decryptable.

Parameters:	name (str) – The transit key
Returns:	bool

task encrypt(key, plaintext, context=None)¶

Encrypts the provided plaintext using the named key.

Parameters:	key (str) – The transit key plaintext (str) – The plaintext to encrypt context (str) – Context for key derivation. Required for derived keys.
Returns:	Value

task decrypt(key, ciphertext, context=None)¶

Decrypts the provided ciphertext using the named key.

Parameters:	key (str) – The transit key ciphertext (str) – The ciphertext to decrypt, provided as returned by encrypt. context (bool) – Context for key derivation. Required for derived keys.
Returns:	Value

mount(*, name=None, description=None)¶

Mount a new secret backend

Parameters:	name (str) – The new endpoint description (str) – A human-friendly description of the mount

remount(dest)¶

Move the secret backend

Parameters:	dest (str) – The new endpoint

unmount()¶: Unmount the secret backend

class GenericBackend(name, type, req_handler)¶

Store arbitrary secrets within the configured physical storage.

The generic backend allows for writing keys with arbitrary values. The only value that special is the lease key, which can be provided with any key to restrict the lease time of the secret. This is useful to ensure clients periodically renew so that key rolling can be time bounded.

task read(key)¶

Reads the value of the key at the given path.

Parameters:	key (str) – The key to read
Returns:	Value – The key value

task write(key, values)¶

Update the value of the key at the given path.

Parameters:	key (str) – The key to read values (dict) – The data to write
Returns:	bool – The key has been written

task delete(key)¶

Ensure that key is absent with given path.

Parameters:	path (str) – The key name
Returns:	bool – The key does not exists in storage

mount(*, name=None, description=None)¶

Mount a new secret backend

Parameters:	name (str) – The new endpoint description (str) – A human-friendly description of the mount

remount(dest)¶

Move the secret backend

Parameters:	dest (str) – The new endpoint

unmount()¶: Unmount the secret backend

Objects¶

class Value(*, lease_duration, auth, renewable, lease_id, data)¶

Secret¶

Backends¶

Objects¶

AIO Vault

Navigation