Secret¶
-
class
SecretEndpoint
(req_handler)¶ -
task
items
()¶ Lists all the mounted secret backends
Returns: SecretCollection
-
__getattr__
(type)¶ Shortcut for type loading
-
load
(name, *, type=None)¶ Get a backend by its name
Parameters: Returns: SecretBackend
-
task
mount
(name, *, type=None, description=None)¶ Load and mount a new secret backend
Parameters: Returns: (bool, SecretBackend)
-
task
Backends¶
-
class
AWSBackend
(name, type, req_handler)¶ The AWS backend dynamically generates AWS access keys for a set of IAM policies. The AWS access keys have a configurable lease set and are automatically revoked at the end of the lease.
After mounting this backend, credentials to generate IAM keys must be configured with the “root” path and policies must be written using the “roles/” endpoints before any access keys can be generated.
-
task
config_root
(*, access_key, secret_key, region=None)¶ Configures the root IAM credentials used.
Before doing anything, the AWS backend needs credentials that are able to manage IAM policies, users, access keys, etc. This endpoint is used to configure those credentials. They don’t necessarilly need to be root keys as long as they have permission to manage IAM:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1432042359000", "Effect": "Allow", "Action": [ "iam:CreateUser", "iam:PutUserPolicy", "iam:CreateAccessKey" ], "Resource": [ "*" ] } ] }
Parameters: Returns: bool
-
task
config_lease
(*, lease, lease_max)¶ Configures the lease settings for generated credentials.
This configures the default lease information used for credentials generated by this backend. The lease specifies the duration that a credential will be valid for, as well as the maximum session for a set of credentials.
The format for the lease is “1h” or integer and then unit. The longest unit is hour.
Parameters: Returns: bool
-
task
write_role
(name, *, policy)¶ Write named role.
This path allows you to read and write roles that are used to create access keys. These roles have IAM policies that map directly to the route to read the access keys. For example, if the backend is mounted at “aws” and you create a role at “aws/roles/deploy” then a user could request access credentials at “aws/creds/deploy”.
The policies written are normal IAM policies. Vault will not attempt to parse these except to validate that they’re basic JSON. To validate the keys, attempt to read an access key after writing the policy.
Parameters: - name (str) – The role name.
- policy (obj) – The IAM policy.
Returns: bool
-
task
creds
(name)¶ Generates a dynamic IAM credential based on the named role.
Parameters: name (str) – The role name. Returns: Value
-
mount
(*, name=None, description=None)¶ Mount a new secret backend
Parameters:
-
unmount
()¶ Unmount the secret backend
-
task
-
class
ConsulBackend
(name, type, req_handler)¶ -
task
config_access
(address, token)¶ Configures the access information for Consul.
This is a root protected endpoint.
Parameters: - Results:
- bool
-
task
read_role
(name)¶ Queries a Consul role definition.
Parameters: name (str) – The role name - Results:
- Value
-
task
write_role
(name, *, policy, lease=None)¶ Creates or updates the Consul role definition.
Parameters: Returns: bool
-
task
delete_role
(name)¶ Deletes a Consul role definition.
Parameters: name (str) – The role name Returns: bool
-
task
creds
(name)¶ Generates a dynamic Consul token based on the role definition.
Parameters: name (str) – The role name - Results:
- Value
-
mount
(*, name=None, description=None)¶ Mount a new secret backend
Parameters:
-
unmount
()¶ Unmount the secret backend
-
task
-
class
PostgreSQLBackend
(name, type, req_handler)¶ -
task
config_connection
(*, dsn)¶ Configures the connection string used to communicate with PostgreSQL.
This is a root protected endpoint.
Parameters: dsn (str) – The PostgreSQL connection URL or PG style string. e.g. “user=foo host=bar”
-
task
config_lease
(lease, lease_max)¶ Configures the lease settings for generated credentials.
If not configured, leases default to 1 hour. This is a root protected endpoint.
Parameters:
-
task
write_role
(name, sql)¶ Creates or updates the role definition.
Parameters: sql (str) – The SQL statements executed to create and configure the role. Must be semi-colon separated. The ‘{{name}}’, ‘{{password}}’ and ‘{{expiration}}’ values will be substituted.
-
task
creds
(name)¶ Generates a new set of dynamic credentials based on the named role.
Parameters: name (str) – The role name
-
mount
(*, name=None, description=None)¶ Mount a new secret backend
Parameters:
-
unmount
()¶ Unmount the secret backend
-
task
-
class
MySQLBackend
(name, type, req_handler)¶ The MySQL backend dynamically generates database users.
After mounting this backend, configure it using the endpoints within the “config/” path.
-
task
config_connection
(*, dsn)¶ Configure the connection string to talk to MySQL
This path configures the connection string used to connect to MySQL. The value of the string is a Data Source Name (DSN). An example is using
username:password@protocol(address)/dbname?param=value
.For example, RDS may look like:
id:password@tcp(your-amazonaws-uri.com:3306)/dbname
When configuring the connection string, the backend will verify its validity.
This is a root protected endpoint.
Parameters: dsn (str) – The MySQL DSN Returns: bool
-
task
config_lease
(lease, lease_max)¶ Configures the lease settings for generated credentials.
If not configured, leases default to 1 hour. This is a root protected endpoint.
Parameters: Returns: bool
-
task
read_role
(name)¶ Queries the role definition.
Parameters: name (str) – Name of the role Returns: Value
-
task
write_role
(name, sql)¶ Creates or updates the role definition.
This path lets you manage the roles that can be created with this backend.
The “sql” parameter customizes the SQL string used to create the role. This can be a sequence of SQL queries, each semi-colon seperated. Some substitution will be done to the SQL string for certain keys. The names of the variables must be surrounded by “{{” and “}}” to be replaced.
Name: The random username generated for the DB user. Password: The random password generated for the DB user. Example of a decent SQL query to use:
CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; GRANT ALL ON db1.* TO '{{name}}'@'%';
Note the above user would be able to access anything in db1. Please see the MySQL manual on the GRANT command to learn how to do more fine grained access.
Parameters: Returns: bool
-
task
delete_role
(name)¶ Deletes the role definition.
Parameters: name (str) – The role name Returns: bool
-
task
creds
(name)¶ Generates a new set of dynamic credentials based on the named role.
This path reads database credentials for a certain role. The database credentials will be generated on demand and will be automatically revoked when the lease is up.
Parameters: name (str) – The role name Returns: Value
-
mount
(*, name=None, description=None)¶ Mount a new secret backend
Parameters:
-
unmount
()¶ Unmount the secret backend
-
task
-
class
TransitBackend
(name, type, req_handler)¶ -
task
read_key
(name)¶ Returns information about a named encryption key.
This is a root protected endpoint.
Parameters: name (str) – The transit key Returns: Value
-
task
read_raw
(name)¶ Fetch raw keys for named encryption keys.
This path is used to get the underlying encryption keys used for the named keys that are available
Parameters: name (str) – The transit key Returns: Value
-
task
write_key
(name, *, derived=False)¶ Creates a new named encryption key.
This is a root protected endpoint.
Parameters: Returns: bool
-
task
delete_key
(name)¶ Deletes a named encryption key.
This is a root protected endpoint. All data encrypted with the named key will no longer be decryptable.
Parameters: name (str) – The transit key Returns: bool
-
task
encrypt
(key, plaintext, context=None)¶ Encrypts the provided plaintext using the named key.
Parameters: Returns: Value
-
task
decrypt
(key, ciphertext, context=None)¶ Decrypts the provided ciphertext using the named key.
Parameters: Returns: Value
-
mount
(*, name=None, description=None)¶ Mount a new secret backend
Parameters:
-
unmount
()¶ Unmount the secret backend
-
task
-
class
GenericBackend
(name, type, req_handler)¶ Store arbitrary secrets within the configured physical storage.
The generic backend allows for writing keys with arbitrary values. The only value that special is the
lease
key, which can be provided with any key to restrict the lease time of the secret. This is useful to ensure clients periodically renew so that key rolling can be time bounded.-
task
read
(key)¶ Reads the value of the key at the given path.
Parameters: key (str) – The key to read Returns: Value – The key value
-
task
write
(key, values)¶ Update the value of the key at the given path.
Parameters: Returns: bool – The key has been written
-
task
delete
(key)¶ Ensure that key is absent with given path.
Parameters: path (str) – The key name Returns: bool – The key does not exists in storage
-
mount
(*, name=None, description=None)¶ Mount a new secret backend
Parameters:
-
unmount
()¶ Unmount the secret backend
-
task