saltext.vault.utils.vault.auth¶

Vault authentication models

class saltext.vault.utils.vault.auth.VaultTokenAuth(cache=None, token=None)[source]¶

Container for authentication tokens

is_renewable()[source]¶: Check whether the contained token is renewable, which requires it to be currently valid for at least two uses and renewable

is_valid(valid_for=0)[source]¶: Check whether the contained token is valid

get_token()[source]¶: Get the contained token if it is valid, otherwise raises VaultAuthExpired

used()[source]¶: Increment the use counter for the contained token

update_token(auth)[source]¶: Partially update the contained token (e.g. after renewal)

replace_token(token)[source]¶: Completely replace the contained token with a new one

class saltext.vault.utils.vault.auth.VaultAppRoleAuth(approle, client, mount='approle', cache=None, token_store=None)[source]¶

Issues tokens from AppRole credentials.

is_renewable()[source]¶: Check whether the currently used token is renewable. SecretIDs are not renewable anyways.

is_valid(valid_for=0)[source]¶: Check whether the contained authentication data can be used to issue a valid token

get_token()[source]¶: Return the token issued by the last login, if it is still valid, otherwise login with the contained AppRole, if it is valid. Otherwise, raises VaultAuthExpired

used()[source]¶: Increment the use counter for the currently used token

update_token(auth)[source]¶: Partially update the contained token (e.g. after renewal)

class saltext.vault.utils.vault.auth.VaultAppRole(role_id, secret_id=None)[source]¶

Container that represents an AppRole

replace_secret_id(secret_id)[source]¶: Replace the contained SecretID with a new one

is_valid(valid_for=0, uses=1)[source]¶

Checks whether the contained data can be used to authenticate to Vault. SecretIDs might not be required by the server when bind_secret_id is set to false.

valid_for: Allows to check whether the AppRole will still be valid in the future. This can be an integer, which will be interpreted as seconds, or a time string using the same format as Vault does: Suffix s for seconds, m for minutes, h for hours, d for days. Defaults to 0.
uses: Check whether the AppRole has at least this number of uses left. Defaults to 1.

used()[source]¶: Increment the SecretID use counter by one, if this AppRole uses one.

payload()[source]¶: Return the payload to use for POST requests using this AppRole

class saltext.vault.utils.vault.auth.LocalVaultSecretId(**kwargs)[source]¶

Represents a SecretID from local configuration and should not be cached.

is_valid(valid_for=0, uses=1)[source]¶: Local SecretIDs are always assumed to be valid until proven otherwise

class saltext.vault.utils.vault.auth.InvalidVaultToken(*args, **kwargs)[source]¶

Represents a missing token

is_valid(valid_for=0, uses=1)[source]¶

Checks whether the token is valid for an amount of time and number of uses.

valid_for: Check whether the token will still be valid in the future. This can be an integer, which will be interpreted as seconds, or a time string using the same format as Vault does: Suffix s for seconds, m for minutes, h for hours, d for days. Defaults to 0.
uses: Check whether the token has at least this number of uses left. Defaults to 1.

class saltext.vault.utils.vault.auth.InvalidVaultSecretId(*args, **kwargs)[source]¶

Represents a missing SecretID

is_valid(valid_for=0, uses=1)[source]¶

Checks whether the SecretID is valid for an amount of time and number of uses

valid_for: Check whether the SecretID will still be valid in the future. This can be an integer, which will be interpreted as seconds, or a time string using the same format as Vault does: Suffix s for seconds, m for minutes, h for hours, d for days. Defaults to 0.
uses: Check whether the SecretID has at least this number of uses left. Defaults to 1.