saltext.vault.utils.vault.api

Class wrappers for several Vault API endpoints

class saltext.vault.utils.vault.api.AppRoleApi(client)

Wraps the Vault AppRole API.

Note

All durations can be specified either as an integer time in seconds or a time string like 1h.

list_approles(mount='approle')

List all AppRoles present on the specified mount.

mount

Name of the AppRole auth backend mount. Defaults to approle.

read_approle(name, mount='approle')

Read the properties of an existing AppRole. Raises VaultNotFound if the AppRole does not exist on the mount.

name

Name of the AppRole to read the properties of.

mount

Name of the AppRole auth backend mount. Defaults to approle.

write_approle(name, bind_secret_id=None, secret_id_bound_cidrs=None, secret_id_num_uses=None, secret_id_ttl=None, local_secret_ids=None, token_ttl=None, token_max_ttl=None, token_policies=None, token_bound_cidrs=None, token_explicit_max_ttl=None, token_no_default_policy=None, token_num_uses=None, token_period=None, token_type=None, mount='approle')

Create or update an AppRole.

name

Name of the AppRole to read the properties of.

bind_secret_id

Require a SecretID when authenticating with this AppRole. Defaults to true.

secret_id_bound_cidrs

List of blocks of IP addresses in CIDR notation that can perform the login operation.

secret_id_num_uses

Number of times a generated SecretID can be used to authenticate with this AppRole by default. 0 means unlimited.

secret_id_ttl

Duration after which a generated SecretID for this AppRole expires by default.

local_secret_ids

If set, the secret IDs generated using this role will be cluster-local. This can only be set during role creation and once set, it can’t be reset later. Defaults to false.

token_ttl

The incremental lifetime for tokens generated by authenticating with this AppRole. This value will be referenced at renewal time.

token_max_ttl

The maximum lifetime for tokens generated by authenticating with this AppRole. This value will be referenced at renewal time.

token_policies

List of token policies to encode onto generated tokens. This list may be supplemented by user/group/other values.

token_bound_cidrs

List of blocks of IP addresses in CIDR notation that can perform the login operation. The resulting token will be tied to these blocks as well.

token_explicit_max_ttl

Place a hard cap on the maximum lifetime of tokens issued by authenticating with this AppRole.

token_no_default_policy

Do not add the default policy to tokens generated by authenticating with this AppRole. Defaults to false.

token_num_uses

Number of times a token generated by authenticating with this AppRole may be used to issue requests. 0 means unlimited.

token_period

The maximum allowed period value when a periodic token is requested from this role.

token_type

The type of token that should be generated (service, batch or default).

mount

Name of the AppRole auth backend mount. Defaults to approle.

delete_approle(name, mount='approle')

Delete an existing AppRole. Raises VaultNotFound if the AppRole does not exist on the mount.

name

Name of the AppRole to delete.

mount

Name of the AppRole auth backend mount. Defaults to approle.

read_role_id(name, wrap=False, mount='approle')

Read the associated RoleID of an existing AppRole. Raises VaultNotFound if the AppRole does not exist on the mount.

name

Name of the AppRole.

wrap

If set, specifies the duration the resulting wrapping token should be valid for. This token can be used once to access the query result. Defaults to false (=> returns the RoleID as a string).

mount

Name of the AppRole auth backend mount. Defaults to approle.

generate_secret_id(name, metadata=None, cidr_list=None, token_bound_cidrs=None, num_uses=None, ttl=None, wrap=False, mount='approle')

Generate a SecretID for an existing AppRole. Raises VaultNotFound if the AppRole does not exist on the mount.

name

Name of the AppRole.

metadata

Mapping of string keys to string values that specifies metadata to be set on the token generated by authenticating with this specific SecretID. It will be logged to audit logs in plaintext.

cidr_list

List of blocks of IP addresses in CIDR notation that can perform the login operation with this specific SecretID. If secret_id_bound_cidrs is set on the AppRole, this list must be a subset of the ones specified there.

token_bound_cidrs

List of blocks of IP addresses in CIDR notation that can perform the login operation. The resulting token will be tied to these blocks as well. If token_bound_cidrs is set on the AppRole, this list must be a subset of the ones specified there.

num_uses

Number of times this specific SecretID can be used to authenticate by default. 0 means unlimited. Must be equal to or lower than secret_id_num_uses set on the AppRole.

ttl

Duration after which this SecretID should expire. Must be equal to or lower than secret_id_ttl set on the AppRole.

wrap

If set, specifies the duration the resulting wrapping token should be valid for. This token can be used once to access the query result. Defaults to false (=> returns the SecretID as a string).

mount

Name of the AppRole auth backend mount. Defaults to approle.

read_secret_id(name, secret_id=None, accessor=None, mount='approle')

Read properties of an existing SecretID. Raises VaultNotFound if the AppRole and/or SecretID does not exist on the mount.

name

Name of the AppRole the SecretID belongs to.

secret_id

The SecretID to look up. Specify either this or accessor.

accessor

The accessor of the SecretID to look up. Specify either this or secret_id.

mount

Name of the AppRole auth backend mount. Defaults to approle.

destroy_secret_id(name, secret_id=None, accessor=None, mount='approle')

Destroy an existing SecretID. Raises VaultNotFound if the AppRole and/or SecretID does not exist on the mount.

name

Name of the AppRole the SecretID belongs to.

secret_id

The SecretID to destroy. Specify either this or accessor.

accessor

The accessor of the SecretID to destroy. Specify either this or secret_id.

mount

Name of the AppRole auth backend mount. Defaults to approle.

class saltext.vault.utils.vault.api.IdentityApi(client)

Wraps the Vault Identity secret engine API.

list_entities()

Return a list of the names of all entities known by Vault.

read_entity(name)

Read the properties of an entity by its name. Raises VaultNotFound if the entity does not exist.

name

Name of the entity to read the properties of.

read_entity_by_alias(alias, mount)

Lookup the properties of an entity by its alias name and mount. Raises VaultNotFound if the entity does not exist.

alias

The name of the entity’s alias on the specified mount. For AppRole backends, this is the RoleID.

mount

The name of the mount the given alias is associated with. For example, if the backend is mounted at auth/approle, this should be approle.

write_entity(name, metadata=None, policies=None, disabled=None)

Create or update an entity by name.

name

The name of the entity.

metadata

Mapping of string keys to string values that specifies metadata to be set on the entity. This can be used to template policies.

policies

List of policies to be tied to the entity. These policies will be active in addition to auth method-specific policies.

disabled

Whether this entity should be disabled. Disabled entities’ associated tokens cannot be used, but are not revoked. Defaults to false.

delete_entity(name)

Delete an entity by name. Raises VaultNotFound if the entity does not exist.

name

The name of the entity.

write_entity_alias(name, alias_name, mount, custom_metadata=None)

Create/update the association between an entity and a specific alias of an auth mount.

name

Name of the entity to associate with the alias.

alias_name

Name of the alias to associate with the entity. The specifics are dependent on the type of the auth backend. For AppRoles, this is the RoleID.

mount

The name of the mount the given alias is associated with. For example, if the backend is mounted at auth/approle, this should be approle.

custom_metadata

A map of arbitrary string to string valued user-provided metadata meant to describe the alias.