Add support for vault path secret resolving (#34)

himl/secret_resolvers.py

@@ -37,7 +37,8 @@ def supports(self, secret_type):
     def resolve(self, secret_type, secret_params):
         aws_profile = secret_params.get("aws_profile", self.default_aws_profile)
         if not aws_profile:
-            raise Exception("Could not find the aws_profile in the secret params for SSM secret: {}".format(secret_params))
+            raise Exception(
+                "Could not find the aws_profile in the secret params for SSM secret: {}".format(secret_params))
 
         path = self.get_param_or_exception("path", secret_params)
         region_name = secret_params.get("region_name", "us-east-1")
@@ -55,7 +56,8 @@ def supports(self, secret_type):
     def resolve(self, secret_type, secret_params):
         aws_profile = secret_params.get("aws_profile", self.default_aws_profile)
         if not aws_profile:
-            raise Exception("Could not find the aws_profile in the secret params for S3 secret: {}".format(secret_params))
+            raise Exception(
+                "Could not find the aws_profile in the secret params for S3 secret: {}".format(secret_params))
 
         bucket = self.get_param_or_exception("bucket", secret_params)
         path = self.get_param_or_exception("path", secret_params)
@@ -71,15 +73,23 @@ def supports(self, secret_type):
         return secret_type == "vault"
 
     def resolve(self, secret_type, secret_params):
-        # Generate a token for a policy
-        policy = self.get_param_or_exception("token_policy", secret_params)
         vault = SimpleVault
-        return vault().get_token(policy)
+
+        # Generate a token for a policy
+        if "token_policy" in secret_params.keys():
+            policy = self.get_param_or_exception("token_policy", secret_params)
+            return vault().get_token(policy)
+
+        # Retrieve secret from vault path
+        if "path" in secret_params.keys():
+            path = self.get_param_or_exception("path", secret_params)
+            return vault().get_path(path)
 
 
 class AggregatedSecretResolver(SecretResolver):
     def __init__(self, default_aws_profile=None):
-        self.secret_resolvers = (SSMSecretResolver(default_aws_profile), S3SecretResolver(default_aws_profile), VaultSecretResolver())
+        self.secret_resolvers = (SSMSecretResolver(default_aws_profile), S3SecretResolver(default_aws_profile),
+                                 VaultSecretResolver())
 
     def supports(self, secret_type):
         return any([resolver.supports(secret_type) for resolver in self.secret_resolvers])

himl/simplevault.py

@@ -8,10 +8,10 @@
 # OF ANY KIND, either express or implied. See the License for the specific language
 # governing permissions and limitations under the License.
 
-import os
 import logging
-import hvac
+import os
 
+import hvac
 
 logger = logging.getLogger(__name__)
 
@@ -23,24 +23,30 @@ def __init__(self):
     def get_vault_client(self):
         url = os.getenv('VAULT_ADDR')
         namespace = os.getenv('VAULT_NAMESPACE')
-        username = os.getenv('VAULT_USERNAME')
-        password = os.getenv('VAULT_PASSWORD')
-        logger.info("Vault using url: {}, namespace: {}, username: {}".format(url, namespace, username))
+
+        logger.info("Vault using url: {}, namespace: {}".format(url, namespace))
 
         client = hvac.Client(
             url=url,
             namespace=namespace,
         )
 
-        try:
-            client.auth.ldap.login(
-                username=username,
-                password=password,
-            )
-            assert client.is_authenticated()
-            logger.info("Vault LDAP authenticated")
-        except Exception as e:
-            raise Exception("Error authenticating Vault over LDAP")
+        authenticated = client.is_authenticated()
+
+        if not authenticated:
+            logger.info("Vault not authenticated, trying LDAP fallback")
+
+            password = os.getenv('VAULT_PASSWORD')
+            username = os.getenv('VAULT_USERNAME')
+            try:
+                client.auth.ldap.login(
+                    username=username,
+                    password=password,
+                )
+                assert client.is_authenticated()
+                logger.info("Vault LDAP authenticated")
+            except Exception as e:
+                raise Exception("Error authenticating Vault over LDAP")
 
         return client
 
@@ -53,6 +59,15 @@ def get_token(self, policy):
             policies=[policy],
             role=role,
             lease='24h',
-       )
+        )
 
         return token['auth']['client_token']
+
+    def get_path(self, path):
+        mount_point = os.getenv('VAULT_MOUNT_POINT', 'kv')
+        client = self.get_vault_client()
+
+        result = client.secrets.kv.v2.read_secret_version(mount_point=mount_point, path=path)
+        secret_data = result['data']['data']
+
+        return secret_data

requirements.txt

@@ -5,4 +5,4 @@ pathlib2>=2.3.4
 boto3>=1.9.110
 pyyaml>=5.1
 botocore>=1.12
-hvac>=0.9.3
+hvac>=0.10.8