This is an additional implementation compared to the hvac module.
The main purpose of which is to simplify the use and interaction with vault for my standard projects.
This module contains a set of methods for working with secrets
and database
engines in Vault.
Variable | Description | Example |
---|---|---|
VAULT_ADDR |
Vault server address | http://vault:8200 |
VAULT_AUTH_TYPE |
Type of authentication in the vault server (token, approle, kubernetes) | approle |
VAULT_NAMESPACE |
Namespace with mounted secrets in the vault server | project1 |
VAULT_TOKEN |
Token for authentication in the vault server | s.123456789qwerty |
VAULT_APPROLE_ID |
Approle ID for get token in the vault server | db02de05-fa39-4855-059b-67221c5c2f63 |
VAULT_APPROLE_SECRET_ID |
Secret ID for get token in the vault server | 6a174c20-f6de-a53c-74d2-6018fcceff64 |
VAULT_KUBERNETES_SA_TOKEN |
File path to the service account token in the kubernetes cluster | /var/run/secrets/kubernetes.io/serviceaccount/token |
Authentications
Token
Approle
Kubernetes
KV2 Engine
read_secret()
write_secret()
list_secrets()
delete_secret()
Database Engine
generate_credentials()
- Authentication in Vault
token
approle
kubernetes
from vault import VaultClient
# Approle authentication
client = VaultClient(
url='http://vault:8200',
namespace='project1',
auth={
'type': 'approle',
'role_id': 'db02de05-fa39-4855-059b-67221c5c2f63',
'secret_id': '6a1740c20-f6de-a53c-74d2-6018fcceff64'
}
)
# Token authentication
client = VaultClient(
url='http://vault:8200',
namespace='project1',
auth={
'type': 'token',
'token': 's.123456789qwerty'
}
)
# Kubernetes authentication
client = VaultClient(
url='http://vault:8200',
namespace='project1',
auth={
'type': 'kubernetes',
'token': '/var/run/secrets/kubernetes.io/serviceaccount/token'
}
)
- Interaction with KV2 Secrets Engine
read
specific key from the secret or the full secret bodycreate
new secret with the specified key and valueupdate
specific key in the secret with a new valuelist
secrets on the specified pathdelete
all versions of the secret on the specified path
from vault import VaultClient
client = VaultClient(
url='http://0.0.0.0:8200',
namespace='project1',
auth={
'type': 'approle',
'role_id': 'db02de05-fa39-4855-059b-67221c5c2f63',
'secret_id': '6a174c20-f6de-a53c-74d2-6018fcceff64'
}
)
# Get value of the specific key in the secret
# type: str
value = client.kv2engine.read_secret(
path='namespace/secret',
key='key'
)
# Get the full secret body
# type: dict
secret = client.kv2engine.read_secret(path='namespace/secret')
# Create a new secret with the specified key and value
# type: object
response = client.kv2engine.write_secret(
path='namespace/secret',
key='key',
value='value'
)
# Update specific key in the secret with a new value
# type: object
response = client.kv2engine.write_secret(
path='namespace/secret',
key='key',
value='new_value'
)
# List secrets on the specified path
# type: list
secret_list = client.kv2engine.list_secrets(path='namespace/secret')
# Delete all versions of the secret on the specified path
# type: bool
deleted = client.kv2engine.delete_secret(path='namespace/secret')
- Interaction with Database Engine
generate
new credentials for the specified role
import psycopg2
from vault import VaultClient
client = VaultClient(
url='http://vault:8200',
namespace='project1',
auth={
'type': 'approle',
'role_id': 'db02de05-fa39-4855-059b-67221c5c2f63',
'secret_id': '6a1740c20-f6de-a53c-74d2-6018fcceff64'
}
)
# Read the secret with the specified path
# type: dict
db_config = client.kv2engine.read_secret(path='project1/db')
# Generate new credentials for the specified role
# type: dict
db_credentials = client.dbengine.generate_credentials(role='project1-role')
# Connect to the database
conn = psycopg2.connect(
dbname=db_config['dbname'],
user=db_credentials['username'],
password=db_credentials['password'],
host=db_config['host'],
port=db_config['port']
)
An example with the required permissions and their description for this module is shown in the file policy.hcl
tee -a pyproject.toml <<EOF
[tool.poetry]
name = myproject"
version = "1.0.0"
[tool.poetry.dependencies]
python = "^3.10"
vault = { git = "https://github.com/obervinov/vault-package.git", tag = "v3.0.0" }
[build-system]
requires = ["poetry-core"]
build-backend = "poetry.core.masonry.api"
EOF
poetry install
Name | Version |
---|---|
GitHub Actions Templates | v1.2.6 |