saltext.vault.utils.vault.factory¶

Salt-Vault integration core functions

saltext.vault.utils.vault.factory.get_authd_client(opts, context, force_local=False, get_config=False)[source]¶: Returns an AuthenticatedVaultClient that is valid for at least one query.

saltext.vault.utils.vault.factory.clear_cache(opts, context, ckey=None, connection=True, session=False, force_local=False)[source]¶

Clears the Vault cache. Will ensure the current token and associated leases are revoked by default.

It is organized in a hierarchy: /vault/connection/session/leases. (italics mark data that is only cached when receiving configuration from a master)

connection contains KV metadata (by default), configuration and (AppRole) auth credentials. session contains the currently active token. leases contains leases issued to the currently active token like database credentials.

A master keeps a separate instance of the above per minion in minions/<minion_id>.

opts: Pass __opts__.
context: Pass __context__.
ckey: Only clear this cache key instead of the whole cache bank.
connection: Only clear the cached data scoped to a connection. This includes configuration, auth credentials, the currently active auth token as well as leases and KV metadata (by default). Defaults to true. Set this to false to clear all Vault caches.
session: Only clear the cached data scoped to a session. This only includes leases and the currently active auth token, but not configuration or (AppRole) auth credentials. Defaults to false. Setting this to true will keep the connection cache, regardless of connection.
force_local: Required on the master when the runner is issuing credentials during pillar compilation. Instructs the cache to use the /vault cache bank, regardless of determined run type. Defaults to false and should not be set by anything other than the runner.

saltext.vault.utils.vault.factory.update_config(opts, context, keep_session=False)[source]¶

Attempt to update the cached configuration without clearing the currently active Vault session.

opts: Pass __opts__.
context: Pass __context__.
keep_session: Only update configuration that can be updated without creating a new login session. If this is false, still tries to keep the active session, but might clear it if the server configuration has changed significantly. Defaults to False.

saltext.vault.utils.vault.factory.get_kv(opts, context, get_config=False)[source]¶: Return an instance of VaultKV, which can be used to interact with the kv backend.

saltext.vault.utils.vault.factory.get_lease_store(opts, context, get_config=False)[source]¶: Return an instance of LeaseStore, which can be used to cache leases and handle operations like renewals and revocations.

saltext.vault.utils.vault.factory.get_approle_api(opts, context, force_local=False, get_config=False)[source]¶: Return an instance of AppRoleApi containing an AuthenticatedVaultClient.

saltext.vault.utils.vault.factory.get_identity_api(opts, context, force_local=False, get_config=False)[source]¶: Return an instance of IdentityApi containing an AuthenticatedVaultClient.

saltext.vault.utils.vault.factory.parse_config(config, validate=True, opts=None, require_token=True)[source]¶: Returns a vault configuration dictionary that has all keys with defaults. Checks if required data is available.