VaultClient

class phalanx.storage.vault.VaultClient(url, path, credentials=None)

Bases: object

Store, retrieve, and manipulate data stored in Vault.

This client is specific to a particular Phalanx environment. It is created using the metadata of a Phalanx environment by VaultStorage.

If neither approle nor token are given, token authentication is used and the the token is taken from the VAULT_TOKEN environment variable or a .vault-token file in the user’s home directory.

url

URL of the configured Vault server.

path

Prefix path within Vault where secrets are stored.

Parameters:
  • url (str) – URL of the Vault server.

  • path (str) – Path within that Vault server where secrets for an environment are stored.

  • credentials (VaultCredentials | None, default: None) – Credentials to use for authentication. If this is not set, fall back on the default library behavior of getting the token from the environment or the user’s home directory.

Methods Summary

create_approle(name, policies, *[, ...])

Create a new Vault AppRole for secret access.

create_policy(name, policy)

Create a policy allowing read of secrets for this environment.

create_token(display_name, policies, lifetime)

Create a new Vault token.

delete_application_secret(application)

Delete the secrets for an application currently stored in Vault.

get_application_secret(application)

Get the secrets for an application currently stored in Vault.

get_approle(name)

Retrieve metadata about a Vault AppRole if it exists.

get_environment_secrets([exclude])

Get the secrets for an environment currently stored in Vault.

get_policy(name)

Get the contents of a Vault policy.

get_token(accessor)

Get a token by accessor.

list_application_secrets()

List the available application secrets in Vault.

list_token_accessors()

List the accessors of all known tokens.

revoke_approle_secret_ids(name)

Revoke all existing SecretIDs for a Vault AppRole.

revoke_token(accessor)

Revoke a token by accessor.

store_application_secret(application, values)

Store the full set of secrets for an application.

update_application_secret(application, key, ...)

Update the value of a specific secret key.

Methods Documentation

create_approle(name, policies, *, token_lifetime=None)

Create a new Vault AppRole for secret access.

Parameters:
  • name (str) – Name of the AppRole to create.

  • policies (list[str]) – Policies to assign to that AppRole.

  • token_lifetime (timedelta | None, default: None) – If given, limit the token lifetime (both default and renewable) to the given length of time.

Returns:

Newly-created AppRole.

Return type:

VaultAppRole

create_policy(name, policy)

Create a policy allowing read of secrets for this environment.

Parameters:
  • name (str) – Name of policy to create.

  • policy (str) – Text of the policy.

Return type:

None

create_token(display_name, policies, lifetime)

Create a new Vault token.

Parameters:
  • display_name (str) – Display name of the token. This must begin with token-, which is stripped off when creating the token since it will be added by Vault.

  • policies (list[str]) – Policies to assign to that token.

  • lifetime (str) – Lifetime of the token as a Vault duration string.

Returns:

Newly-created Vault token.

Return type:

VaultToken

delete_application_secret(application)

Delete the secrets for an application currently stored in Vault.

If the secret does not exist, still returns success without raising an exception.

Parameters:

application (str) – Name of the application.

Return type:

None

get_application_secret(application)

Get the secrets for an application currently stored in Vault.

Parameters:

application (str) – Name of the application.

Returns:

Mapping from secret key to its secret from Vault.

Return type:

dict of pydantic.types.SecretStr

Raises:

VaultNotFoundError – Raised if the requested secret was not found in Vault.

get_approle(name)

Retrieve metadata about a Vault AppRole if it exists.

Parameters:
  • approle – Name of the AppRole.

  • name (str)

Returns:

Metadata about the AppRole if it exists, else None.

Return type:

VaultAppRoleMetadata or None

get_environment_secrets(exclude=None)

Get the secrets for an environment currently stored in Vault.

Parameters:

exclude (set[str] | None, default: None) – Applications to exclude, ignoring their Vault entries.

Returns:

Mapping from application to secret key to its secret from Vault.

Return type:

dict of dict

get_policy(name)

Get the contents of a Vault policy.

Parameters:

name (str) – Name of the policy.

Returns:

Text of the policy, or None if it does not exist.

Return type:

str or None

get_token(accessor)

Get a token by accessor.

Parameters:

accessor (str) – Accessor for the token.

Returns:

Metadata for the token, or None if no token exists with that accessor.

Return type:

VaultTokenMetadata or None

Raises:

hvac.exceptions.Forbidden – Raised if the caller doesn’t have access to retrieve this accessor.

list_application_secrets()

List the available application secrets in Vault.

Returns:

Names of available application secrets.

Return type:

list of str

Raises:

VaultNotFoundError – Raised if the path for application secrets does not exist or if the Vault server returned a permission denied error. Unfortunately, because the Vault server sometimes returns permission denied if the path doesn’t exist, there’s no good way to distinguish between these errors.

list_token_accessors()

List the accessors of all known tokens.

Returns:

Accessors for all known tokens.

Return type:

list of str

revoke_approle_secret_ids(name)

Revoke all existing SecretIDs for a Vault AppRole.

Parameters:

name (str) – Name of the AppRole.

Return type:

None

revoke_token(accessor)

Revoke a token by accessor.

Parameters:

accessor (str) – Accessor of token.

Return type:

None

store_application_secret(application, values)

Store the full set of secrets for an application.

Parameters:
  • application (str) – Name of the application.

  • values (dict[str, SecretStr]) – Secret key and value pairs.

Return type:

None

update_application_secret(application, key, value)

Update the value of a specific secret key.

Parameters:
  • application (str) – Name of the application.

  • key (str) – Key within that application’s secret to update.

  • value (SecretStr) – New value for that secret key.

Return type:

None