Source code for saltext.vault.sdb.vault
"""
Use secret values sourced from Vault in ``sdb://`` URIs.
.. important::
This module requires the general :ref:`Vault setup <vault-setup>`.
Setup
-----
Like all SDB modules, this module requires a configuration profile in either
the minion configuration file or a pillar:
.. code-block:: yaml
myvault:
driver: vault
Once configured, you can access data using a URL such as:
.. code-block:: yaml
password: sdb://myvault/secret/passwords/mypassword
In this URL, ``myvault`` refers to the configuration profile,
``secret/passwords`` is the path where the data resides, and ``mypassword`` is
the key of the data to return.
The above URI is analogous to running the following vault command:
.. code-block:: bash
$ vault read -field=mypassword secret/passwords
Further configuration
---------------------
The following options can be set in the profile:
.. vconf:: sdb.patch
``patch``
When writing data, partially update the secret instead of overwriting it completely.
This is usually the expected behavior, since without this option,
each secret path can only contain a single mapping key safely.
Currently defaults to ``False`` for backwards-compatibility reasons.
Beginning with version 2 of this extension, will default to ``True``.
"""
import logging
import salt.exceptions
from saltext.vault.utils import vault
from saltext.vault.utils.versions import warn_until
log = logging.getLogger(__name__)
__func_alias__ = {"set_": "set"}
[docs]
def set_(key, value, profile=None): # pylint: disable=unused-argument
"""
Set a key/value pair in the vault service
"""
if "?" in key:
path, key = key.split("?")
else:
path, key = key.rsplit("/", 1)
data = {key: value}
curr_data = {}
profile = profile or {}
patch = profile.get("patch")
if patch is None:
try:
warn_until(
2,
(
"Beginning with version {version}, the Vault SDB module will "
"partially update secrets instead of overwriting it completely. "
"You can switch to the new behavior explicitly by specifying "
"patch: true in your Vault SDB configuration."
),
)
patch = False
except RuntimeError:
patch = True
if patch:
try:
# Patching only works on existing secrets.
# Save the current data if patching is enabled
# to write it back later, if any errors happen in patch_kv.
# This also checks that the path exists, otherwise patching fails as well.
curr_data = vault.read_kv(path, __opts__, __context__)
vault.patch_kv(path, data, __opts__, __context__)
return True
except (vault.VaultNotFoundError, vault.VaultPermissionDeniedError):
pass
curr_data.update(data)
try:
vault.write_kv(path, data, __opts__, __context__)
return True
except Exception as err: # pylint: disable=broad-except
log.error("Failed to write secret! %s: %s", type(err).__name__, err)
raise salt.exceptions.CommandExecutionError(err) from err
[docs]
def get(key, profile=None): # pylint: disable=unused-argument
"""
Get a value from the vault service
"""
full_path = key
if "?" in key:
path, key = key.split("?")
else:
path, key = key.rsplit("/", 1)
try:
try:
res = vault.read_kv(path, __opts__, __context__)
if key in res:
return res[key]
return None
except vault.VaultNotFoundError:
return vault.read_kv(full_path, __opts__, __context__)
except vault.VaultNotFoundError:
return None
except Exception as err: # pylint: disable=broad-except
log.error("Failed to read secret! %s: %s", type(err).__name__, err)
raise salt.exceptions.CommandExecutionError(err) from err