saltext.vault.utils.vault.auth

Vault authentication models

class saltext.vault.utils.vault.auth.VaultTokenAuth(cache: VaultAuthCache[VaultToken] | None = None, token: VaultToken | dict[str, Any] | None = None)[source]

Container for authentication tokens

is_renewable() bool[source]

Check whether the contained token is renewable, which requires it to be currently valid for at least two uses and renewable

is_valid(valid_for: int | str = 0) bool[source]

Check whether the contained token is valid

get_token() VaultToken[source]

Get the contained token if it is valid, otherwise raises VaultAuthExpired

used()[source]

Increment the use counter for the contained token

update_token(auth: dict[str, Any])[source]

Partially update the contained token (e.g. after renewal)

replace_token(token: VaultToken)[source]

Completely replace the contained token with a new one

class saltext.vault.utils.vault.auth.VaultAppRoleAuth(approle: VaultAppRole, client: vclient.VaultClient, mount: str = 'approle', cache: VaultAuthCache[VaultSecretId] | None = None, token_store: VaultTokenAuth | None = None)[source]

Issues tokens from AppRole credentials.

is_renewable() bool[source]

Check whether the currently used token is renewable. SecretIDs are not renewable anyways.

is_valid(valid_for: int | str = 0) bool[source]

Check whether the contained authentication data can be used to issue a valid token

get_token() VaultToken[source]

Return the token issued by the last login, if it is still valid, otherwise login with the contained AppRole, if it is valid. Otherwise, raises VaultAuthExpired

used()[source]

Increment the use counter for the currently used token

update_token(auth: dict[str, Any])[source]

Partially update the contained token (e.g. after renewal)

class saltext.vault.utils.vault.auth.VaultAppRole(role_id: str, secret_id: VaultSecretId | None = None)[source]

Container that represents an AppRole

replace_secret_id(secret_id: VaultSecretId)[source]

Replace the contained SecretID with a new one

is_valid(valid_for: int | str = 0, uses: int = 1) bool[source]

Checks whether the contained data can be used to authenticate to Vault. SecretIDs might not be required by the server when bind_secret_id is set to false.

valid_for

Allows to check whether the AppRole will still be valid in the future. This can be an integer, which is interpreted as seconds, or a time string using the same format as Vault does: Suffix s for seconds, m for minutes, h for hours, d for days. Defaults to 0.

uses

Check whether the AppRole has at least this number of uses left. Defaults to 1.

used()[source]

Increment the SecretID use counter by one, if this AppRole uses one.

payload() dict[str, str][source]

Return the payload to use for POST requests using this AppRole

class saltext.vault.utils.vault.auth.LocalVaultSecretId(**kwargs)[source]

Represents a SecretID from local configuration and should not be cached.

is_valid(valid_for: int | str = 0, uses: int = 1)[source]

Local SecretIDs are always assumed to be valid until proven otherwise

class saltext.vault.utils.vault.auth.InvalidVaultToken(*args, **kwargs)[source]

Represents a missing token

is_valid(valid_for: int | str = 0, uses: int = 1)[source]

Checks whether the token is valid for an amount of time and number of uses.

valid_for

Check whether the token will still be valid in the future. This can be an integer, which is interpreted as seconds, or a time string using the same format as Vault does: Suffix s for seconds, m for minutes, h for hours, d for days. Defaults to 0.

uses

Check whether the token has at least this number of uses left. Defaults to 1.

class saltext.vault.utils.vault.auth.InvalidVaultSecretId(*args, **kwargs)[source]

Represents a missing SecretID

is_valid(valid_for: int | str = 0, uses: int = 1)[source]

Checks whether the SecretID is valid for an amount of time and number of uses

valid_for

Check whether the SecretID will still be valid in the future. This can be an integer, which is interpreted as seconds, or a time string using the same format as Vault does: Suffix s for seconds, m for minutes, h for hours, d for days. Defaults to 0.

uses

Check whether the SecretID has at least this number of uses left. Defaults to 1.