vault_approle¶
Manage the Vault (or OpenBao) AppRole auth backend, request and cache AppRole SecretIDs.
Added in version 1.8.0.
Important
This module requires the general Vault setup.
- saltext.vault.modules.vault_approle.list_(mount='approle')[source]¶
List existing AppRoles.
CLI Example:
salt '*' vault_approle.list
Required policy:
path "auth/<mount>/role" { capabilities = ["list"] }
- mount
Name of the mount point the AppRole auth backend is mounted to. Defaults to
approle.
- saltext.vault.modules.vault_approle.read(name, mount='approle')[source]¶
Read an AppRole configuration.
CLI Example:
salt '*' vault_approle.read salt_master
Required policy:
path "auth/<mount>/role/<name>" { capabilities = ["read"] }
- name
Name of the AppRole.
- mount
Name of the mount point the AppRole auth backend is mounted to. Defaults to
approle.
- saltext.vault.modules.vault_approle.write(name, bind_secret_id=None, secret_id_bound_cidrs=None, secret_id_num_uses=None, secret_id_ttl=None, local_secret_ids=None, token_ttl=None, token_max_ttl=None, token_policies=None, token_bound_cidrs=None, token_explicit_max_ttl=None, token_no_default_policy=None, token_num_uses=None, token_period=None, token_type=None, alias_metadata=None, token_strictly_bind_ip=None, mount='approle')[source]¶
Write an AppRole configuration.
CLI Example:
salt '*' vault_approle.write salt_master token_num_uses=0
Required policy:
path "auth/<mount>/role/<name>" { capabilities = ["create", "update"] }
- name
Name of the AppRole.
- secret_id_bound_cidrs
List of CIDR blocks that specifies blocks of IP addresses which can perform the login operation
- secret_id_num_uses
Number of times any particular SecretID can be used to fetch a token from this AppRole, after which the SecretID by default will expire. A value of zero will allow unlimited uses. However, this option may be overridden by the request’s ‘num_uses’ field when generating a SecretID.
- secret_id_ttl
Duration in either an integer number of seconds (3600) or an integer time unit (60m) after which by default any SecretID expires. A value of zero will allow the SecretID to not expire. However, this option may be overridden by the request’s ‘ttl’ field when generating a SecretID.
- local_secret_ids
If set, the SecretIDs generated using this role will be cluster local. This can only be set during role creation and once set, it can’t be reset later.
- token_ttl
Incremental lifetime for generated tokens. This value will be referenced at renewal time.
- token_max_ttl
Maximum lifetime for generated tokens. This value will be referenced at renewal time.
- token_policies
List of token policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- token_bound_cidrs
List of CIDR blocks that specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- token_explicit_max_ttl
If set, will encode an explicit max TTL onto the token. This is a hard cap, even if token_ttl and token_max_ttl would otherwise allow a renewal.
- token_no_default_policy
If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in
token_policies.- token_num_uses
Maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. If you require the token to have the ability to create child tokens, you will need to set this value to 0.
- token_period
Maximum allowed period value when a periodic token is requested from this role.
- token_type
Type of token that should be generated. Can be
service,batch, ordefaultto use the mount’s tuned default. For token store roles, there are two additional possibilities:default-serviceanddefault-batch, which specify the type to return unless the client requests a different type at generation time.- alias_metadata
Important
Only available on Vault, not OpenBao.
Map of arbitrary string to arbitrary string that pre-populates the custom metadata of new entity aliases created at login.
- token_strictly_bind_ip
Important
Only available on OpenBao, not Vault.
If set, the token will be restricted to the source IP address making the initial login request. This conflicts with
token_bound_cidrs.- mount
Name of the mount point the AppRole auth backend is mounted at. Defaults to
approle.
- saltext.vault.modules.vault_approle.delete(name, mount='approle')[source]¶
Delete an AppRole.
CLI Example:
salt '*' vault_approle.delete salt_master_bak
Required policy:
path "auth/<mount>/role/<name>" { capabilities = ["delete"] }
- name
Name of the AppRole.
- mount
Name of the mount point the AppRole auth backend is mounted at. Defaults to
approle.
- saltext.vault.modules.vault_approle.get_role_id(name, wrap=False, mount='approle')[source]¶
Get an AppRole’s RoleID.
CLI Example:
salt '*' vault.get_role_id salt_master
Required policy:
path "auth/<mount>/role/<name>/role-id" { capabilities = ["read"] }
- name
Name of the AppRole.
- wrap
Instead of returning the RoleID, return a response wrapping token that is valid for this amount of time. Defaults to false.
- mount
Name of the mount point the AppRole auth backend is mounted at. Defaults to
approle.
- saltext.vault.modules.vault_approle.get_secret_id(name, metadata=None, cidr_list=None, token_bound_cidrs=None, num_uses=None, ttl=None, cache=None, min_ttl=60, wrap=False, all_data=False, mount='approle')[source]¶
Generate a SecretID for an AppRole.
CLI Example:
salt '*' vault.get_secret_id salt_master_bak
Required policy:
path "auth/<mount>/role/<name>/secret-id" { capabilities = ["create", "update"] }
- name
Name of the AppRole.
- metadata
A string-valued dictionary of metadata tied to this particular SecretID.
- cidr_list
List of CIDR blocks enforcing SecretIDs to be used from specific set of IP addresses. If
secret_id_bound_cidrsis set on the role, then this list of CIDR blocks should be a subset of the CIDR blocks listed on the role.- token_bound_cidrs
A list of CIDR blocks which can use the auth tokens generated by this SecretID. Overrides any role-set value, but must be a subset thereof.
- num_uses
Number of times this SecretID can be used, after which the SecretID expires. A value of zero will allow unlimited uses. Overrides
secret_id_num_usesrole option when supplied. May not be higher than role’ssecret_id_num_uses.- ttl
Duration in seconds (
3600) or an integer time unit (60m) after which this SecretID expires. Overridessecret_id_ttlrole option when supplied. May not be longer than role’ssecret_id_ttl.- cache
Whether to cache issued SecretIDs. Disabled when
wrapis set, otherwise defaults to true. Set this to a string to be able to issue distinct SecretIDs for the same role.- min_ttl
When using cached data, ensure the SecretID is at least valid for this amount of time. Can be an integer, which is interpreted as seconds, or a time string such as
1h. Defaults to 60 (seconds).- wrap
Instead of returning the SecretID, return a response wrapping token that is valid for this amount of time. Can be an integer, which is interpreted as seconds, or a time string such as
1h. Defaults to false.- all_data
Return a dictionary of information, including
[wrapping_]accessor, duration, expire_time etc. If this is false, only returns the SecretID/wrapping token as a string. Defaults to false.- mount
Name of the mount point the AppRole auth backend is mounted at. Defaults to
approle.
- saltext.vault.modules.vault_approle.lookup_secret_id(name, secret_id=None, accessor=None, mount='approle')[source]¶
Lookup Secret ID meta information.
CLI Example:
salt '*' vault.lookup_secret_id salt_master accessor=abcde1-f234...
Required policy:
path "auth/<mount>/role/<name>/secret-id/lookup" { capabilities = ["create", "update"] } path "auth/<mount>/role/<name>/secret-id-accessor/lookup" { capabilities = ["create", "update"] }
- name
Name of the AppRole the SecretID belongs to.
- secret_id
A SecretID to look up. Specify either this or
accessor.- accessor
An accessor for the SecretID to look up. Specify either this or
secret_id.- mount
Name of the mount point the AppRole auth backend is mounted at. Defaults to
approle.
- saltext.vault.modules.vault_approle.destroy_secret_id(name, secret_id=None, accessor=None, mount='approle')[source]¶
Destroy a Secret ID.
CLI Example:
salt '*' vault.destroy_secret_id salt_master accessor=abcde1-f234...
Required policy:
path "auth/<mount>/role/<name>/secret-id/destroy" { capabilities = ["create", "update"] } path "auth/<mount>/role/<name>/secret-id-accessor/destroy" { capabilities = ["create", "update"] }
- name
Name of the AppRole the SecretID belongs to.
- secret_id
SecretID to destroy. Specify either this or
accessor.- accessor
Accessor for the SecretID to destroy. Specify either this or
secret_id.- mount
Name of the mount point the AppRole auth backend is mounted at. Defaults to
approle.
- saltext.vault.modules.vault_approle.clear_cached(name=None, cache=None, mount=None, flush_on_failure=True)[source]¶
Flush cached SecretIDs. Attempts revocation.
CLI Example:
salt '*' vault.clear_cached
Recommended policy:
path "auth/<mount>/role/<name>/secret-id-accessor/destroy" { capabilities = ["create", "update"] }
- name
Only clear SecretIDs for this role name.
- cache
Only clear SecretIDs with this cache name.
- mount
Only clear SecretIDs from this backend mount.
- flush_on_failure
If a revocation fails, remove the lease from cache anyways. Defaults to true.
- saltext.vault.modules.vault_approle.list_cached(name=None, cache=None, mount=None)[source]¶
List cached AppRoles matching specified parameters.
CLI Example:
salt '*' vault_approle.list_cached name=myrole mount=database salt '*' vault_approle.list_cached mount=database salt '*' vault_approle.list_cached
- name
Only list credentials using this AppRole name.
- mount
Only list credentials from this mount.
- cache
Only list credentials using this cache name (refer to
get_secret_idfor details).