saltext.vault.utils.vault.approle

Vault approle helpers

Added in version 1.8.0.

saltext.vault.utils.vault.approle.get_store(opts: dict[str, Any], context: dict[str, Any]) SecretIdStore[source]

Return an instance of SecretIdStore.

opts

Pass __opts__.

context

Pass __context__.

saltext.vault.utils.vault.approle.create_cache_pattern(name: str | None = None, cache: str | Literal[True] | None = None, mount: str | None = None) str[source]

Render a match pattern for operating on cached leases. Unset parameters result in a * glob.

name

Name of the database role.

cache

Filter by cache name (refer to get_secret_id for details).

mount

Mount path the associated database backend is mounted to.

class saltext.vault.utils.vault.approle.SecretIdStore(api: vapi.AppRoleApi, cache: VaultLeaseCache[VaultSecretId])[source]

Caches SecretIDs and handles revocation

get(ckey: str, valid_for: int | str = 0, destroy: bool = True) VaultSecretId | None[source]

Return a valid cached SecretID or None.

ckey

Cache key the SecretID has been saved in.

valid_for

Ensure the returned SecretID or wrapping token is valid for at least this amount of time. This can be an integer, which will be interpreted as seconds, or a time string using the same format as Vault does: Suffix s for seconds, m for minutes, h for hours, d for days. Defaults to 0.

destroy

If the SecretID is invalid or not valid for valid_for, attempt to destroy it if possible and flush the cache. Defaults to true.

list() set[str][source]

List all cached leases.

destroy(name: str, secid: VaultSecretId, mount: str = 'approle')[source]

Destroy a SecretID.

name

Name of the AppRole the SecretID belongs to.

secid

SecretID to revoke.

list_cached_info(match: str = '*') dict[str, dict[str, Any]][source]

List cached SecretIDs.

match

Only list cached SecretIDs whose ckey matches this glob pattern. Defaults to *.

destroy_cached(match: str = '*', flush_on_failure: bool = True)[source]

Revoke cached leases.

match

Only revoke cached leases whose ckey matches this glob pattern. Defaults to *.

flush_on_failure

If a revocation fails, remove the lease from cache anyways. Defaults to true.

store(ckey: str, secid: VaultSecretId)[source]

Cache a SecretID.

ckey

The cache key the lease should be saved in.

secid

A SecretID or wrapped SecretID to store.