saltext.vault.utils.vault.auth¶
Vault authentication models
- class saltext.vault.utils.vault.auth.VaultTokenAuth(cache: VaultAuthCache[VaultToken] | None = None, token: VaultToken | dict[str, Any] | None = None)[source]¶
Container for authentication tokens
- is_renewable() bool[source]¶
Check whether the contained token is renewable, which requires it to be currently valid for at least two uses and renewable
- get_token() VaultToken[source]¶
Get the contained token if it is valid, otherwise raises VaultAuthExpired
- update_token(auth: dict[str, Any])[source]¶
Partially update the contained token (e.g. after renewal)
- replace_token(token: VaultToken)[source]¶
Completely replace the contained token with a new one
- class saltext.vault.utils.vault.auth.VaultAppRoleAuth(approle: VaultAppRole, client: vclient.VaultClient, mount: str = 'approle', cache: VaultAuthCache[VaultSecretId] | None = None, token_store: VaultTokenAuth | None = None)[source]¶
Issues tokens from AppRole credentials.
- is_renewable() bool[source]¶
Check whether the currently used token is renewable. SecretIDs are not renewable anyways.
- is_valid(valid_for: int | str = 0) bool[source]¶
Check whether the contained authentication data can be used to issue a valid token
- get_token() VaultToken[source]¶
Return the token issued by the last login, if it is still valid, otherwise login with the contained AppRole, if it is valid. Otherwise, raises VaultAuthExpired
- class saltext.vault.utils.vault.auth.VaultAppRole(role_id: str, secret_id: VaultSecretId | None = None)[source]¶
Container that represents an AppRole
- replace_secret_id(secret_id: VaultSecretId)[source]¶
Replace the contained SecretID with a new one
- is_valid(valid_for: int | str = 0, uses: int = 1) bool[source]¶
Checks whether the contained data can be used to authenticate to Vault. SecretIDs might not be required by the server when bind_secret_id is set to false.
- valid_for
Allows to check whether the AppRole will still be valid in the future. This can be an integer, which is interpreted as seconds, or a time string using the same format as Vault does: Suffix
sfor seconds,mfor minutes,hfor hours,dfor days. Defaults to 0.- uses
Check whether the AppRole has at least this number of uses left. Defaults to 1.
- class saltext.vault.utils.vault.auth.LocalVaultSecretId(**kwargs)[source]¶
Represents a SecretID from local configuration and should not be cached.
- class saltext.vault.utils.vault.auth.InvalidVaultToken(*args, **kwargs)[source]¶
Represents a missing token
- is_valid(valid_for: int | str = 0, uses: int = 1)[source]¶
Checks whether the token is valid for an amount of time and number of uses.
- valid_for
Check whether the token will still be valid in the future. This can be an integer, which is interpreted as seconds, or a time string using the same format as Vault does: Suffix
sfor seconds,mfor minutes,hfor hours,dfor days. Defaults to 0.- uses
Check whether the token has at least this number of uses left. Defaults to 1.
- class saltext.vault.utils.vault.auth.InvalidVaultSecretId(*args, **kwargs)[source]¶
Represents a missing SecretID
- is_valid(valid_for: int | str = 0, uses: int = 1)[source]¶
Checks whether the SecretID is valid for an amount of time and number of uses
- valid_for
Check whether the SecretID will still be valid in the future. This can be an integer, which is interpreted as seconds, or a time string using the same format as Vault does: Suffix
sfor seconds,mfor minutes,hfor hours,dfor days. Defaults to 0.- uses
Check whether the SecretID has at least this number of uses left. Defaults to 1.