genvid.toolbox.VaultTool

Warning

This is a beta version of the API and is likely to change in future releases.

class genvid.toolbox.VaultTool(vault_policies_folder: str = '', vault_roles_folder: str = '', vault_token_file: str = '', vault_keys_file: str = '', use_wan: bool = False, **kwargs)

Bases: ConsulTool

A class for interfacing with Vault.

Warning:: This is a beta implementation of the class.

Changed in version 1.16.0: The environment variables now take precedence over the content of the Vault files.

Changed in version 1.20.0: Now, have a use_wan parameter to replace the service address with the TaggedAddress “wan”. The default is now to use the internal registered address.

NAME = 'Vault': The name of the logger for this tool. Must be redefined in children.

DESCRIPTION = 'A tool for interfacing with Vault.': A description of the tool, used in the help parser. Must be redefined in children.

VAULT_TOKEN_FILE: A mirror of VAULT_TOKEN_FILE containing the file path were the Vault token is saved.

New in version 1.30.0.

VAULT_KEYS_FILE: A mirror of VAULT_KEYS_FILE containing the file path were the Vault keys are saved.

New in version 1.30.0.

VAULT_TOKEN: A mirror of VAULT_TOKEN containing the Vault token used for authentication.

VAULT_KEYS: A mirror of VAULT_KEYS containing the comma-delimited Vault seal keys.

VAULT_ADDR: A mirror of VAULT_ADDR containing the Vault service address (including the protocol).

GENVID_VAULT_POLICIES_FOLDER: A mirror of GENVID_VAULT_POLICIES_FOLDER pointing to a folder containing Vault policies.

GENVID_VAULT_TOKEN_ROLES_FOLDER: A mirror of GENVID_VAULT_TOKEN_ROLES_FOLDER pointing to a folder containing Vault token roles.

DEFAULT_PKI_PATH: This is the pki engine path used by default.

get_vault_client_addr(timeout: float = 30.0, passing: bool = True): Return the Vault server address.

Changed in version 1.20.0: use_wan parameter is now removed to favor the use_wan passed at construction.

get_vault_client_url(timeout: float = 0, use_https: bool = False, passing: bool = True): Return the Vault server URL.

Changed in version 1.20.0: use_wan parameter is now removed to favor the use_wan passed at construction.

property vault: The Vault client.

init_vault_client(timeout: float = 30.0, passing: bool = True)

Initialize the Vault client.

The client uses VAULT_ADDR for initialization. If it’s empty, it queries the discovery service for a Vault service and VAULT_ADDR is set appropriately.

Parameters:: timeout – The timeout for the service query in seconds.

mount_vault_engines()

Mount secret engines required to run Bastion.

::versionadded: 1.29.0

mount_pki_engine(mount_point)

Sets up vault pki secret engine and creates root ca

Parameters:: mount_point – Mount point on which pki engine was mounted

::versionadded: 1.29.0

vault_load_policies(folder: Optional[str] = None)

Load policies from a specified folder.

Policies should have an .hcl extension. The name of the policy is the base name of the file without the extension.

Parameters:: folder – The folder to lookup. Uses GENVID_VAULT_POLICIES_FOLDER if None.

vault_load_roles(folder: Optional[str] = None)

Load roles from a specified folder.

Roles should have a .json extension containing the properties of the role. The folder uses the base filename minus the extension if no name is specified.

By default, the role type is token. But if a role json file is in a subfolder of the vault-role folder, then the name of subfolder corresponds to the role type Currently, token and pki role types are supported.

Rolename is taken from the json file name. If name setting exists in the json file, this name is used instead.

Parameters:: folder – The folder to look up. Uses GENVID_VAULT_TOKEN_ROLES_FOLDER if None.

Changed in version 1.29.0: vault_load_token_roles() renamed to vault_load_roles()

vault_load_token_roles(folder: Optional[str] = None): Deprecated since version 1.29.0: Please use vault_load_roles()

vault_setup(): Set up Vault if not initialized.

vault_setup_secret_engines()

Setup vault secret engines and load their roles

param vault_roles_folder: folder that contains the vault roles.

refresh_token(force: bool = False)

Refresh the Vault information.

param force: force changing the variable, even if a value is already set.

Changed in version 1.16.0: Add the force param and don’t override if already set.

init_vault(key_shares=1, key_threshold=1)

Initialize a Vault.

This method sets the VAULT_TOKEN and VAULT_KEYS environment variables on success, overriding any values already present.

auth_vault(token=None)

Authorize the Vault client.

param token: Token for vault operations. If None, uses VAULT_TOKEN.

Changed in version 1.16.0: Add the optional token param.

unseal_vault(timeout: float = 30.0) → bool

Unseal Vault with the VAULT_KEYS.

Parameters:: timeout – Timeout in second to wait for the seal status to change.
Raises:: RuntimeError if the vault keys is empty.

Changed in version 1.29.0: Check empty keys, to replace the cryptic error about a missing parameter.

create_vault_token(*, role=None, orphan=False, wrap_ttl=None, **properties): Create a new token with the properties specified.

save_vault_token(): Save Vault token in the home folder.

save_vault_keys(): Save Vault keys in the home folder.

load_vault_token() → str: Load the vault keys from VAULT_TOKEN_FILE

load_vault_keys() → str: Load the vault keys from VAULT_KEYS_FILE

clear_vault_files(): Clear Vault secret files.

create_vault_token_role(role, *, wrap_ttl=None, **properties): Create a new token role with the properties specified.

class vault.VaultTool: Implementation of genvid.toolbox.VaultTool