Vault Package

About this project

This is an additional implementation compared to the hvac module.
The main purpose of which is to simplify the use and interaction with vault for my standard projects.
This module contains a set of methods for working with secrets and database engines in Vault.

Supported environment variables

Variable	Description	Example
VAULT_ADDR	Vault server address	http://vault:8200
VAULT_AUTH_TYPE	Type of authentication in the vault server (token, approle, kubernetes)	approle
VAULT_NAMESPACE	Namespace with mounted secrets in the vault server	project1
VAULT_TOKEN	Token for authentication in the vault server	s.123456789qwerty
VAULT_APPROLE_ID	Approle ID for get token in the vault server	db02de05-fa39-4855-059b-67221c5c2f63
VAULT_APPROLE_SECRET_ID	Secret ID for get token in the vault server	6a174c20-f6de-a53c-74d2-6018fcceff64
VAULT_KUBERNETES_SA_TOKEN	File path to the service account token in the kubernetes cluster	/var/run/secrets/kubernetes.io/serviceaccount/token

Supported functions

Deprecation Notice

Authentications

• Token
• Approle
• Kubernetes

KV2 Engine

• read_secret()
• write_secret()
• list_secrets()
• delete_secret()

Database Engine

• generate_credentials()

Usage examples

1. Authentication in Vault
   • token
   • approle
   • kubernetes

from vault import VaultClient

# Approle authentication
client = VaultClient(
        url='http://vault:8200',
        namespace='project1',
        auth={
                'type': 'approle',
                'role_id': 'db02de05-fa39-4855-059b-67221c5c2f63',
                'secret_id': '6a1740c20-f6de-a53c-74d2-6018fcceff64'
        }
)

# Token authentication
client = VaultClient(
        url='http://vault:8200',
        namespace='project1',
        auth={
                'type': 'token',
                'token': 's.123456789qwerty'
        }
)

# Kubernetes authentication
client = VaultClient(
        url='http://vault:8200',
        namespace='project1',
        auth={
                'type': 'kubernetes',
                'token': '/var/run/secrets/kubernetes.io/serviceaccount/token'
        }
)

2. Interaction with KV2 Secrets Engine
   • read specific key from the secret or the full secret body
   • create new secret with the specified key and value
   • update specific key in the secret with a new value
   • list secrets on the specified path
   • delete all versions of the secret on the specified path

from vault import VaultClient

client = VaultClient(
        url='http://0.0.0.0:8200',
        namespace='project1',
        auth={
                'type': 'approle',
                'role_id': 'db02de05-fa39-4855-059b-67221c5c2f63',
                'secret_id': '6a174c20-f6de-a53c-74d2-6018fcceff64'
        }
)

# Get value of the specific key in the secret
# type: str
value = client.kv2engine.read_secret(
    path='namespace/secret',
    key='key'
)

# Get the full secret body
# type: dict
secret = client.kv2engine.read_secret(path='namespace/secret')

# Create a new secret with the specified key and value
# type: object
response = client.kv2engine.write_secret(
        path='namespace/secret',
        key='key',
        value='value'
)

# Update specific key in the secret with a new value
# type: object
response = client.kv2engine.write_secret(
        path='namespace/secret',
        key='key',
        value='new_value'
)

# List secrets on the specified path
# type: list
secret_list = client.kv2engine.list_secrets(path='namespace/secret')

# Delete all versions of the secret on the specified path
# type: bool
deleted = client.kv2engine.delete_secret(path='namespace/secret')

2. Interaction with Database Engine
   • generate new credentials for the specified role

import psycopg2
from vault import VaultClient

client = VaultClient(
        url='http://vault:8200',
        namespace='project1',
        auth={
                'type': 'approle',
                'role_id': 'db02de05-fa39-4855-059b-67221c5c2f63',
                'secret_id': '6a1740c20-f6de-a53c-74d2-6018fcceff64'
        }
)
# Read the secret with the specified path
# type: dict
db_config = client.kv2engine.read_secret(path='project1/db')

# Generate new credentials for the specified role
# type: dict
db_credentials = client.dbengine.generate_credentials(role='project1-role')

# Connect to the database
conn = psycopg2.connect(
        dbname=db_config['dbname'],
        user=db_credentials['username'],
        password=db_credentials['password'],
        host=db_config['host'],
        port=db_config['port']
)

Vault Policy structure

An example with the required permissions and their description for this module is shown in the file policy.hcl

Installing

tee -a pyproject.toml <<EOF
[tool.poetry]
name = myproject"
version = "1.0.0"

[tool.poetry.dependencies]
python = "^3.10"
vault = { git = "https://github.com/obervinov/vault-package.git", tag = "v3.0.0" }

[build-system]
requires = ["poetry-core"]
build-backend = "poetry.core.masonry.api"
EOF

poetry install

GitHub Actions

Name	Version
GitHub Actions Templates	v1.2.6