saltext.vault.utils.vault.approle¶
Vault approle helpers
Added in version 1.8.0.
- saltext.vault.utils.vault.approle.get_store(opts: dict[str, Any], context: dict[str, Any]) SecretIdStore[source]¶
Return an instance of SecretIdStore.
- opts
Pass
__opts__.- context
Pass
__context__.
- saltext.vault.utils.vault.approle.create_cache_pattern(name: str | None = None, cache: str | Literal[True] | None = None, mount: str | None = None) str[source]¶
Render a match pattern for operating on cached leases. Unset parameters result in a
*glob.- name
Name of the database role.
- cache
Filter by cache name (refer to get_secret_id for details).
- mount
Mount path the associated database backend is mounted to.
- class saltext.vault.utils.vault.approle.SecretIdStore(api: vapi.AppRoleApi, cache: VaultLeaseCache[VaultSecretId])[source]¶
Caches SecretIDs and handles revocation
- get(ckey: str, valid_for: int | str = 0, destroy: bool = True) VaultSecretId | None[source]¶
Return a valid cached SecretID or None.
- ckey
Cache key the SecretID has been saved in.
- valid_for
Ensure the returned SecretID or wrapping token is valid for at least this amount of time. This can be an integer, which will be interpreted as seconds, or a time string using the same format as Vault does: Suffix
sfor seconds,mfor minutes,hfor hours,dfor days. Defaults to 0.- destroy
If the SecretID is invalid or not valid for
valid_for, attempt to destroy it if possible and flush the cache. Defaults to true.
- destroy(name: str, secid: VaultSecretId, mount: str = 'approle')[source]¶
Destroy a SecretID.
- name
Name of the AppRole the SecretID belongs to.
- secid
SecretID to revoke.
- list_cached_info(match: str = '*') dict[str, dict[str, Any]][source]¶
List cached SecretIDs.
- match
Only list cached SecretIDs whose ckey matches this glob pattern. Defaults to
*.
- destroy_cached(match: str = '*', flush_on_failure: bool = True)[source]¶
Revoke cached leases.
- match
Only revoke cached leases whose ckey matches this glob pattern. Defaults to
*.- flush_on_failure
If a revocation fails, remove the lease from cache anyways. Defaults to true.
- store(ckey: str, secid: VaultSecretId)[source]¶
Cache a SecretID.
- ckey
The cache key the lease should be saved in.
- secid
A SecretID or wrapped SecretID to store.