saltext.vault.utils.vault

High-level utility functions for Vault interaction

saltext.vault.utils.vault.query(method, endpoint, opts, context, payload=None, *, wrap=False, raise_error=True, safe_to_retry=None, is_unauthd=False, **kwargs)[source]

Query the Vault API. Supplemental arguments to requests.request can be passed as kwargs.

method

HTTP verb to use.

endpoint

API path to call (without leading /v1/).

opts

Pass __opts__ from the module.

context

Pass __context__ from the module.

payload

Dictionary of payload values to send, if any.

wrap

Whether to request response wrapping. Should be a time string like 30s or False (default).

raise_error

Whether to inspect the response code and raise exceptions. Defaults to True.

safe_to_retry

Added in version 1.4.0.

A boolean indicating whether this request is safe to retry (idempotent) or not. If not provided, defaults to guessing based on the HTTP method. Unsafe requests are not retried, unless client:retry_post is enabled.

is_unauthd

Whether the queried endpoint is an unauthenticated one and hence does not deduct a token use. Only relevant for endpoints not found in sys. Defaults to False.

saltext.vault.utils.vault.query_raw(method, endpoint, opts, context, payload=None, *, wrap=False, retry=True, is_unauthd=False, safe_to_retry=None, **kwargs)[source]

Query the Vault API, returning the raw response object. Supplemental arguments to requests.request can be passed as kwargs.

method

HTTP verb to use.

endpoint

API path to call (without leading /v1/).

opts

Pass __opts__ from the module.

context

Pass __context__ from the module.

payload

Dictionary of payload values to send, if any.

retry

Retry the query with cleared cache in case the permission was denied (to check for revoked cached credentials). Defaults to True.

Note

Affects handling of 403 Forbidden responses by this function and is independent from client settings.

wrap

Whether to request response wrapping. Should be a time string like 30s or False (default).

safe_to_retry

Added in version 1.4.0.

A boolean indicating whether this request is safe to retry (idempotent) or not. If not provided, defaults to guessing based on the HTTP method. Unsafe requests are not retried, unless client:retry_post is enabled.

is_unauthd

Whether the queried endpoint is an unauthenticated one and hence does not deduct a token use. Only relevant for endpoints not found in sys. Defaults to False.

saltext.vault.utils.vault.is_v2(path, opts, context)[source]

Determines if a given secret path is KV v1 or v2.

saltext.vault.utils.vault.read_kv(path, opts, context, include_metadata=False, version=None)[source]

Read secret at <path>.

saltext.vault.utils.vault.read_kv_meta(path, opts, context)[source]

Read secret metadata and version info at <path>. Requires KV v2.

Added in version 1.2.0.

saltext.vault.utils.vault.write_kv(path, data, opts, context)[source]

Write secret <data> to <path>.

saltext.vault.utils.vault.patch_kv(path, data, opts, context)[source]

Patch secret <data> at <path>.

saltext.vault.utils.vault.delete_kv(path, opts, context, versions=None, all_versions=False)[source]

Delete secret at <path>. For KV v2, versions can be specified, which will be soft-deleted.

saltext.vault.utils.vault.restore_kv(path, opts, context, versions=None, all_versions=False)[source]

Restore secret versions at <path>. Requires KV v2.

saltext.vault.utils.vault.destroy_kv(path, versions, opts, context, all_versions=False)[source]

Destroy secret <versions> at <path>. Requires KV v2.

saltext.vault.utils.vault.wipe_kv(path, opts, context)[source]

Completely remove all version history and data at <path>. Requires KV v2.

Added in version 1.2.0.

saltext.vault.utils.vault.list_kv(path, opts, context)[source]

List secrets at <path>.