VaultClient#

class phalanx.storage.vault.VaultClient(url, path)#

Bases: object

Store, retrieve, and manipulate data stored in Vault.

This client is specific to a particular Phalanx environment. It is created using the metadata of a Phalanx environment by VaultStorage.

The Vault authentication token is taken from either the VAULT_TOKEN environment variable or a .vault-token file in the user’s home directory.

Parameters:

  • url (str) – URL of the Vault server.

  • path (str) – Path within that Vault server where secrets for an environment are stored.

Methods Summary

create_approle(name, policies)

Create a new Vault AppRole for secret access.

create_policy(name, policy)

Create a policy allowing read of secrets for this environment.

create_token(display_name, policies, lifetime)

Create a new Vault token.

delete_application_secret(application)

Delete the secrets for an application currently stored in Vault.

get_application_secret(application)

Get the secrets for an application currently stored in Vault.

get_approle(name)

Retrieve metadata about a Vault AppRole if it exists.

get_environment_secrets()

Get the secrets for an environment currently stored in Vault.

get_policy(name)

Get the contents of a Vault policy.

get_token(accessor)

Get a token by accessor.

list_application_secrets()

List the available application secrets in Vault.

list_token_accessors()

List the accessors of all known tokens.

revoke_approle_secret_ids(name)

Revoke all existing SecretIDs for a Vault AppRole.

revoke_token(accessor)

Revoke a token by accessor.

store_application_secret(application, values)

Store the full set of secrets for an application.

update_application_secret(application, key, ...)

Update the value of a specific secret key.

Methods Documentation

create_approle(name, policies)#

Create a new Vault AppRole for secret access.

Parameters:

  • name (str) – Name of the AppRole to create.

  • policies (list[str]) – Policies to assign to that AppRole.

Returns:

Newly-created AppRole.

Return type:

VaultAppRole

create_policy(name, policy)#

Create a policy allowing read of secrets for this environment.

Parameters:

  • name (str) – Name of policy to create.

  • policy (str) – Text of the policy.

Return type:

None

create_token(display_name, policies, lifetime)#

Create a new Vault token.

Parameters:

  • display_name (str) – Display name of the token. This must begin with token-, which is stripped off when creating the token since it will be added by Vault.

  • policies (list[str]) – Policies to assign to that token.

  • lifetime (str) – Lifetime of the token as a Vault duration string.

Returns:

Newly-created Vault token.

Return type:

VaultToken

delete_application_secret(application)#

Delete the secrets for an application currently stored in Vault.

If the secret does not exist, still returns success without raising an exception.

Parameters:

application (str) – Name of the application.

Return type:

None

get_application_secret(application)#

Get the secrets for an application currently stored in Vault.

Parameters:

application (str) – Name of the application.

Returns:

Mapping from secret key to its secret from Vault.

Return type:

dict of pydantic.types.SecretStr

Raises:

VaultNotFoundError – Raised if the requested secret was not found in Vault.

get_approle(name)#

Retrieve metadata about a Vault AppRole if it exists.

Parameters:

  • approle – Name of the AppRole.

  • name (str) –

Returns:

Metadata about the AppRole if it exists, else None.

Return type:

VaultAppRoleMetadata or None

get_environment_secrets()#

Get the secrets for an environment currently stored in Vault.

Returns:

Mapping from application to secret key to its secret from Vault.

Return type:

dict of dict

get_policy(name)#

Get the contents of a Vault policy.

Parameters:

name (str) – Name of the policy.

Returns:

Text of the policy, or None if it does not exist.

Return type:

str or None

get_token(accessor)#

Get a token by accessor.

Parameters:

accessor (str) – Accessor for the token.

Returns:

Metadata for the token, or None if no token exists with that accessor.

Return type:

VaultTokenMetadata or None

list_application_secrets()#

List the available application secrets in Vault.

Returns:

Names of available application secrets.

Return type:

list of str

Raises:

VaultNotFoundError – Raised if the path for application secrets does not exist.

list_token_accessors()#

List the accessors of all known tokens.

Returns:

Accessors for all known tokens.

Return type:

list of str

revoke_approle_secret_ids(name)#

Revoke all existing SecretIDs for a Vault AppRole.

Parameters:

name (str) – Name of the AppRole.

Return type:

None

revoke_token(accessor)#

Revoke a token by accessor.

Parameters:

accessor (str) – Accessor of token.

Return type:

None

store_application_secret(application, values)#

Store the full set of secrets for an application.

Parameters:

  • application (str) – Name of the application.

  • values (dict[str, SecretStr]) – Secret key and value pairs.

Return type:

None

update_application_secret(application, key, value)#

Update the value of a specific secret key.

Parameters:

  • application (str) – Name of the application.

  • key (str) – Key within that application’s secret to update.

  • value (SecretStr) – New value for that secret key.

Return type:

None