vault_approle

Manage the Vault (or OpenBao) AppRole auth backend.

Added in version 1.8.0.

Important

This module requires the general Vault setup.

saltext.vault.states.vault_approle.present(name, bind_secret_id=None, secret_id_bound_cidrs=None, secret_id_num_uses=None, secret_id_ttl=None, local_secret_ids=None, token_ttl=None, token_max_ttl=None, token_policies=None, token_bound_cidrs=None, token_explicit_max_ttl=None, token_no_default_policy=None, token_num_uses=None, token_period=None, token_type=None, alias_metadata=None, token_strictly_bind_ip=None, mount='approle')[source]

Ensure an AppRole is present as specified.

name

Name of the AppRole.

secret_id_bound_cidrs

List of CIDR blocks that specifies blocks of IP addresses which can perform the login operation

secret_id_num_uses

Number of times any particular SecretID can be used to fetch a token from this AppRole, after which the SecretID by default will expire. A value of zero will allow unlimited uses. However, this option may be overridden by the request’s ‘num_uses’ field when generating a SecretID.

secret_id_ttl

Duration in either an integer number of seconds (3600) or an integer time unit (60m) after which by default any SecretID expires. A value of zero will allow the SecretID to not expire. However, this option may be overridden by the request’s ‘ttl’ field when generating a SecretID.

local_secret_ids

If set, the SecretIDs generated using this role will be cluster local. This can only be set during role creation and once set, it can’t be reset later.

token_ttl

Incremental lifetime for generated tokens. This value will be referenced at renewal time.

token_max_ttl

Maximum lifetime for generated tokens. This value will be referenced at renewal time.

token_policies

List of token policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

token_bound_cidrs

List of CIDR blocks that specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

token_explicit_max_ttl

If set, will encode an explicit max TTL onto the token. This is a hard cap, even if token_ttl and token_max_ttl would otherwise allow a renewal.

token_no_default_policy

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

token_num_uses

Maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. If you require the token to have the ability to create child tokens, you will need to set this value to 0.

token_period

Maximum allowed period value when a periodic token is requested from this role.

token_type

Type of token that should be generated. Can be service, batch, or default to use the mount’s tuned default. For token store roles, there are two additional possibilities: default-service and default-batch, which specify the type to return unless the client requests a different type at generation time.

alias_metadata

Important

Only available on Vault, not OpenBao.

Map of arbitrary string to arbitrary string that pre-populates the custom metadata of new entity aliases created at login.

token_strictly_bind_ip

Important

Only available on OpenBao, not Vault.

If set, the token will be restricted to the source IP address making the initial login request. This conflicts with token_bound_cidrs.

mount

Name of the mount point the AppRole auth backend is mounted at. Defaults to approle.

saltext.vault.states.vault_approle.absent(name, mount='approle')[source]

Ensure an AppRole is not present.

name

Name of the AppRole.

mount

Name of the mount point the AppRole auth backend is mounted at. Defaults to approle.