VaultClient¶
- class phalanx.storage.vault.VaultClient(url, path, credentials=None)¶
Bases:
object
Store, retrieve, and manipulate data stored in Vault.
This client is specific to a particular Phalanx environment. It is created using the metadata of a Phalanx environment by
VaultStorage
.If neither
approle
nortoken
are given, token authentication is used and the the token is taken from theVAULT_TOKEN
environment variable or a.vault-token
file in the user’s home directory.- url¶
URL of the configured Vault server.
- path¶
Prefix path within Vault where secrets are stored.
- Parameters:
url (
str
) – URL of the Vault server.path (
str
) – Path within that Vault server where secrets for an environment are stored.credentials (
VaultCredentials
|None
, default:None
) – Credentials to use for authentication. If this is not set, fall back on the default library behavior of getting the token from the environment or the user’s home directory.
Methods Summary
create_approle
(name, policies, *[, ...])Create a new Vault AppRole for secret access.
create_policy
(name, policy)Create a policy allowing read of secrets for this environment.
create_token
(display_name, policies, lifetime)Create a new Vault token.
delete_application_secret
(application)Delete the secrets for an application currently stored in Vault.
get_application_secret
(application)Get the secrets for an application currently stored in Vault.
get_approle
(name)Retrieve metadata about a Vault AppRole if it exists.
get_environment_secrets
([exclude])Get the secrets for an environment currently stored in Vault.
get_policy
(name)Get the contents of a Vault policy.
get_token
(accessor)Get a token by accessor.
List the available application secrets in Vault.
List the accessors of all known tokens.
Revoke all existing SecretIDs for a Vault AppRole.
revoke_token
(accessor)Revoke a token by accessor.
store_application_secret
(application, values)Store the full set of secrets for an application.
update_application_secret
(application, key, ...)Update the value of a specific secret key.
Methods Documentation
- create_approle(name, policies, *, token_lifetime=None)¶
Create a new Vault AppRole for secret access.
- Parameters:
- Returns:
Newly-created AppRole.
- Return type:
- create_policy(name, policy)¶
Create a policy allowing read of secrets for this environment.
- create_token(display_name, policies, lifetime)¶
Create a new Vault token.
- Parameters:
- Returns:
Newly-created Vault token.
- Return type:
- delete_application_secret(application)¶
Delete the secrets for an application currently stored in Vault.
If the secret does not exist, still returns success without raising an exception.
- get_application_secret(application)¶
Get the secrets for an application currently stored in Vault.
- Parameters:
application (
str
) – Name of the application.- Returns:
Mapping from secret key to its secret from Vault.
- Return type:
dict of pydantic.types.SecretStr
- Raises:
VaultNotFoundError – Raised if the requested secret was not found in Vault.
- get_approle(name)¶
Retrieve metadata about a Vault AppRole if it exists.
- Parameters:
approle – Name of the AppRole.
name (
str
)
- Returns:
Metadata about the AppRole if it exists, else
None
.- Return type:
VaultAppRoleMetadata or None
- get_environment_secrets(exclude=None)¶
Get the secrets for an environment currently stored in Vault.
- get_policy(name)¶
Get the contents of a Vault policy.
- get_token(accessor)¶
Get a token by accessor.
- Parameters:
accessor (
str
) – Accessor for the token.- Returns:
Metadata for the token, or
None
if no token exists with that accessor.- Return type:
VaultTokenMetadata or None
- Raises:
hvac.exceptions.Forbidden – Raised if the caller doesn’t have access to retrieve this accessor.
- list_application_secrets()¶
List the available application secrets in Vault.
- Returns:
Names of available application secrets.
- Return type:
- Raises:
VaultNotFoundError – Raised if the path for application secrets does not exist or if the Vault server returned a permission denied error. Unfortunately, because the Vault server sometimes returns permission denied if the path doesn’t exist, there’s no good way to distinguish between these errors.
- list_token_accessors()¶
List the accessors of all known tokens.
- revoke_approle_secret_ids(name)¶
Revoke all existing SecretIDs for a Vault AppRole.
- revoke_token(accessor)¶
Revoke a token by accessor.
- store_application_secret(application, values)¶
Store the full set of secrets for an application.