VaultService#

class phalanx.services.vault.VaultService(config_storage, vault_storage)#

Bases: object

Service to manage Vault authentication.

Parameters:
  • config_storage (ConfigStorage) – Storage object for the Phalanx configuration.

  • vault_storage (VaultStorage) – Storage object for Vault.

Methods Summary

audit(environment)

Audit the Vault authentication configuration for an environment.

create_read_approle(environment)

Create a new Vault read AppRole for the given environment.

create_write_token(environment, lifetime)

Create a new Vault write token for the given environment.

Methods Documentation

audit(environment)#

Audit the Vault authentication configuration for an environment.

Parameters:

environment (str) – Name of the environment.

Returns:

Human-readable text report of any problems found.

Return type:

str

create_read_approle(environment)#

Create a new Vault read AppRole for the given environment.

This will create (or update) a read policy whose name is the Vault secrets path with the first component (the mount) removed and /read appended, and an AppRole, whose name will be the last component of the Vault secrets path.

Conventionally, the Vault secrets path will be phalanx/fqdn where the last component is the FQDN of the deployed Phalanx environment, so the policy name will be phalanx/fqdn/read and the AppRole name will be fqdn.

Parameters:

environment (str) – Name of the environment.

Returns:

Newly-created Vault AppRole.

Return type:

VaultAppRole

create_write_token(environment, lifetime)#

Create a new Vault write token for the given environment.

This will create (or update) a read policy whose name is the Vault secrets path with the first component (the mount) removed and /write appended. Any existing write tokens will be revoked.

Must be called with credentials capable of creating tokens and policies and listing accessors of existing tokens.

Parameters:
  • environment (str) – Name of the environment.

  • lifetime (str) – Token lifetime in Vault duration format.

Returns:

Newly-created Vault token.

Return type:

VaultToken