vault_approle¶
Manage the Vault (or OpenBao) AppRole auth backend.
Added in version 1.8.0.
Important
This module requires the general Vault setup.
- saltext.vault.states.vault_approle.present(name, bind_secret_id=None, secret_id_bound_cidrs=None, secret_id_num_uses=None, secret_id_ttl=None, local_secret_ids=None, token_ttl=None, token_max_ttl=None, token_policies=None, token_bound_cidrs=None, token_explicit_max_ttl=None, token_no_default_policy=None, token_num_uses=None, token_period=None, token_type=None, alias_metadata=None, token_strictly_bind_ip=None, mount='approle')[source]¶
Ensure an AppRole is present as specified.
- name
Name of the AppRole.
- secret_id_bound_cidrs
List of CIDR blocks that specifies blocks of IP addresses which can perform the login operation
- secret_id_num_uses
Number of times any particular SecretID can be used to fetch a token from this AppRole, after which the SecretID by default will expire. A value of zero will allow unlimited uses. However, this option may be overridden by the request’s ‘num_uses’ field when generating a SecretID.
- secret_id_ttl
Duration in either an integer number of seconds (3600) or an integer time unit (60m) after which by default any SecretID expires. A value of zero will allow the SecretID to not expire. However, this option may be overridden by the request’s ‘ttl’ field when generating a SecretID.
- local_secret_ids
If set, the SecretIDs generated using this role will be cluster local. This can only be set during role creation and once set, it can’t be reset later.
- token_ttl
Incremental lifetime for generated tokens. This value will be referenced at renewal time.
- token_max_ttl
Maximum lifetime for generated tokens. This value will be referenced at renewal time.
- token_policies
List of token policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- token_bound_cidrs
List of CIDR blocks that specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- token_explicit_max_ttl
If set, will encode an explicit max TTL onto the token. This is a hard cap, even if token_ttl and token_max_ttl would otherwise allow a renewal.
- token_no_default_policy
If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in
token_policies.- token_num_uses
Maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. If you require the token to have the ability to create child tokens, you will need to set this value to 0.
- token_period
Maximum allowed period value when a periodic token is requested from this role.
- token_type
Type of token that should be generated. Can be
service,batch, ordefaultto use the mount’s tuned default. For token store roles, there are two additional possibilities:default-serviceanddefault-batch, which specify the type to return unless the client requests a different type at generation time.- alias_metadata
Important
Only available on Vault, not OpenBao.
Map of arbitrary string to arbitrary string that pre-populates the custom metadata of new entity aliases created at login.
- token_strictly_bind_ip
Important
Only available on OpenBao, not Vault.
If set, the token will be restricted to the source IP address making the initial login request. This conflicts with
token_bound_cidrs.- mount
Name of the mount point the AppRole auth backend is mounted at. Defaults to
approle.