Mountยถ
Manipulate secret backendsยถ
backends = client.sys.list_mounted_secrets_engines()['data']
client.sys.enable_secrets_engine('aws', path='aws-us-east-1')
client.sys.disable_secrets_engine('mysql')
client.sys.tune_mount_configuration(path='test', default_lease_ttl='3600s', max_lease_ttl='8600s')
client.sys.read_mount_configuration(path='test')
client.sys.move_backend('aws-us-east-1', 'aws-east')
List Mounted Secrets Enginesยถ
-
Mount.
list_mounted_secrets_engines
()[source] Lists all the mounted secrets engines.
- Supported methods:
- POST: /sys/mounts. Produces: 200 application/json
Returns: JSON response of the request. Return type: dict
Examplesยถ
import hvac
client = hvac.Client(url='https://127.0.0.1:8200')
secrets_engines_list = client.sys.list_mounted_secrets_engines()['data']
print('The following secrets engines are mounted: %s' % ', '.join(sorted(secrets_engines_list.keys())))
Example output:
The following secrets engines are mounted: cubbyhole/, identity/, secret/, sys/
Enable Secrets Engineยถ
-
Mount.
enable_secrets_engine
(backend_type, path=None, description=None, config=None, plugin_name=None, options=None, local=False, seal_wrap=False, **kwargs)[source] Enable a new secrets engine at the given path.
- Supported methods:
- POST: /sys/mounts/{path}. Produces: 204 (empty body)
Parameters: - backend_type (str | unicode) โ The name of the backend type, such as โgithubโ or โtokenโ.
- path (str | unicode) โ The path to mount the method on. If not provided, defaults to the value of the โbackend_typeโ argument.
- description (str | unicode) โ A human-friendly description of the mount.
- config (dict) โ
Configuration options for this mount. These are the possible values:
- default_lease_ttl: The default lease duration, specified as a string duration like โ5sโ or โ30mโ.
- max_lease_ttl: The maximum lease duration, specified as a string duration like โ5sโ or โ30mโ.
- force_no_cache: Disable caching.
- plugin_name: The name of the plugin in the plugin catalog to use.
- audit_non_hmac_request_keys: Comma-separated list of keys that will not be HMACโd by audit devices in the request data object.
- audit_non_hmac_response_keys: Comma-separated list of keys that will not be HMACโd by audit devices in the response data object.
- listing_visibility: Specifies whether to show this mount in the UI-specific listing endpoint. (โunauthโ or โhiddenโ)
- passthrough_request_headers: Comma-separated list of headers to whitelist and pass from the request to the backend.
- options (dict) โ
Specifies mount type specific options that are passed to the backend.
- version: <KV> The version of the KV to mount. Set to โ2โ for mount KV v2.
- plugin_name (str | unicode) โ Specifies the name of the plugin to use based from the name in the plugin catalog. Applies only to plugin backends.
- local (bool) โ <Vault enterprise only> Specifies if the auth method is a local only. Local auth methods are not replicated nor (if a secondary) removed by replication.
- seal_wrap (bool) โ <Vault enterprise only> Enable seal wrapping for the mount.
- kwargs (dict) โ All dicts are accepted and passed to vault. See your specific secret engine for details on which extra key-word arguments you might want to pass.
Returns: The response of the request.
Return type: requests.Response
Examplesยถ
import hvac
client = hvac.Client(url='https://127.0.0.1:8200')
client.sys.enable_secrets_engine(
backend_type='kv',
path='hvac-kv',
)
Disable Secrets Engineยถ
-
Mount.
disable_secrets_engine
(path)[source] Disable the mount point specified by the provided path.
- Supported methods:
- DELETE: /sys/mounts/{path}. Produces: 204 (empty body)
Parameters: path (str | unicode) โ Specifies the path where the secrets engine will be mounted. This is specified as part of the URL. Returns: The response of the request. Return type: requests.Response
Examplesยถ
import hvac
client = hvac.Client(url='https://127.0.0.1:8200')
client.sys.disable_secrets_engine(
path='hvac-kv',
)
Read Mount Configurationยถ
-
Mount.
read_mount_configuration
(path)[source] Read the given mountโs configuration.
Unlike the mounts endpoint, this will return the current time in seconds for each TTL, which may be the system default or a mount-specific value.
- Supported methods:
- GET: /sys/mounts/{path}/tune. Produces: 200 application/json
Parameters: path (str | unicode) โ Specifies the path where the secrets engine will be mounted. This is specified as part of the URL. Returns: The JSON response of the request. Return type: requests.Response
Examplesยถ
import hvac
client = hvac.Client(url='https://127.0.0.1:8200')
secret_backend_tuning = client.sys.read_mount_configuration(path='hvac-kv')
print('The max lease TTL for the "hvac-kv" backend is: {max_lease_ttl}'.format(
max_lease_ttl=secret_backend_tuning['data']['max_lease_ttl'],
))
Example output:
The max lease TTL for the "hvac-kv" backend is: 2764800
Tune Mount Configurationยถ
-
Mount.
tune_mount_configuration
(path, default_lease_ttl=None, max_lease_ttl=None, description=None, audit_non_hmac_request_keys=None, audit_non_hmac_response_keys=None, listing_visibility=None, passthrough_request_headers=None, options=None, force_no_cache=None, **kwargs)[source] Tune configuration parameters for a given mount point.
- Supported methods:
- POST: /sys/mounts/{path}/tune. Produces: 204 (empty body)
Parameters: - path (str | unicode) โ Specifies the path where the secrets engine will be mounted. This is specified as part of the URL.
- mount_point (str) โ The path the associated secret backend is mounted
- description (str) โ Specifies the description of the mount. This overrides the current stored value, if any.
- default_lease_ttl (int) โ Default time-to-live. This overrides the global default. A value of 0 is equivalent to the system default TTL
- max_lease_ttl (int) โ Maximum time-to-live. This overrides the global default. A value of 0 are equivalent and set to the system max TTL.
- audit_non_hmac_request_keys (list) โ Specifies the comma-separated list of keys that will not be HMACโd by audit devices in the request data object.
- audit_non_hmac_response_keys (list) โ Specifies the comma-separated list of keys that will not be HMACโd by audit devices in the response data object.
- listing_visibility (str) โ Speficies whether to show this mount in the UI-specific listing endpoint. Valid values are โunauthโ or โโ.
- passthrough_request_headers (str) โ Comma-separated list of headers to whitelist and pass from the request to the backend.
- options (dict) โ
Specifies mount type specific options that are passed to the backend.
- version: <KV> The version of the KV to mount. Set to โ2โ for mount KV v2.
- force_no_cache (bool) โ Disable caching.
- kwargs (dict) โ All dicts are accepted and passed to vault. See your specific secret engine for details on which extra key-word arguments you might want to pass.
Returns: The response from the request.
Return type: request.Response
Examplesยถ
import hvac
client = hvac.Client(url='https://127.0.0.1:8200')
client.sys.tune_mount_configuration(
path='hvac-kv',
default_lease_ttl='3600s',
max_lease_ttl='8600s',
)
Move Backendยถ
-
Mount.
move_backend
(from_path, to_path)[source] Move an already-mounted backend to a new mount point.
- Supported methods:
- POST: /sys/remount. Produces: 204 (empty body)
Parameters: - from_path (str | unicode) โ Specifies the previous mount point.
- to_path (str | unicode) โ Specifies the new destination mount point.
Returns: The response of the request.
Return type: requests.Response
Examplesยถ
import hvac
client = hvac.Client(url='https://127.0.0.1:8200')
client.sys.move_backend(
from_path='hvac-kv',
to_path='kv-hvac',
)