hvac.v1¶
-
class
hvac.v1.
Client
(url=u'http://localhost:8200', token=None, cert=None, verify=True, timeout=30, proxies=None, allow_redirects=True, session=None, adapter=None)[source]¶ Bases:
object
The hvac Client class for HashiCorp’s Vault.
-
__init__
(url=u'http://localhost:8200', token=None, cert=None, verify=True, timeout=30, proxies=None, allow_redirects=True, session=None, adapter=None)[source]¶ Creates a new hvac client instnace.
Parameters: - url (str) – Base URL for the Vault instance being addressed.
- token (str) – Authentication token to include in requests sent to Vault.
- cert (tuple) – Certificates for use in requests sent to the Vault instance. This should be a tuple with the certificate and then key.
- verify (Union[bool,str]) – Either a boolean to indicate whether TLS verification should be performed when sending requests to Vault, or a string pointing at the CA bundle to use for verification. See http://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification.
- timeout (int) – The timeout value for requests sent to Vault.
- proxies (dict) – Proxies to use when preforming requests. See: http://docs.python-requests.org/en/master/user/advanced/#proxies
- allow_redirects (bool) – Whether to follow redirects when sending requests to Vault.
- session (request.Session) – Optional session object to use when performing request.
- adapter (hvac.adapters.Adapter) – Optional class to be used for performing requests. If none is provided, defaults to hvac.adapters.Request
-
adapter
¶
-
allow_redirects
¶
-
audit_hash
(name, input)[source]¶ POST /sys/audit-hash
Parameters: - name –
- input –
Returns: Return type:
-
auth
(url, use_token=True, **kwargs)[source]¶ - Performs a request (typically to a path prefixed with “/v1/auth”) and optionaly stores the client token sent
- in the resulting Vault response for use by the
hvac.adapters.Adapter()
instance under the _adapater Client attribute.
Parameters: - url (str | unicode) – Path to send the authentication request to.
- use_token (bool) – if True, uses the token in the response received from the auth request to set the “token”
attribute on the the
hvac.adapters.Adapter()
instance under the _adapater Client attribute. - kwargs (dict) – Additional keyword arguments to include in the params sent with the request.
Returns: The response of the auth request.
Return type: requests.Response
-
auth_app_id
(app_id, user_id, mount_point=u'app-id', use_token=True)[source]¶ POST /auth/<mount point>/login
Parameters: - app_id –
- user_id –
- mount_point –
- use_token –
Returns: Return type:
-
auth_approle
(role_id, secret_id=None, mount_point=u'approle', use_token=True)[source]¶ POST /auth/<mount_point>/login
Parameters: - role_id –
- secret_id –
- mount_point –
- use_token –
Returns: Return type:
-
auth_aws_iam
(access_key, secret_key, session_token=None, header_value=None, mount_point=u'aws', role=u'', use_token=True, region=u'us-east-1')[source]¶ POST /auth/<mount point>/login
Parameters: - access_key (str) – AWS IAM access key ID
- secret_key (str) – AWS IAM secret access key
- session_token (str) – Optional AWS IAM session token retrieved via a GetSessionToken AWS API request. see: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html
- header_value (str) – Vault allows you to require an additional header, X-Vault-AWS-IAM-Server-ID, to be present to mitigate against different types of replay attacks. Depending on the configuration of the AWS auth backend, providing a argument to this optional parameter may be required.
- mount_point (str) – The “path” the AWS auth backend was mounted on. Vault currently defaults to “aws”. “aws-ec2” is the default argument for backwards comparability within this module.
- role (str) – Name of the role against which the login is being attempted. If role is not specified, then the login endpoint looks for a role bearing the name of the AMI ID of the EC2 instance that is trying to login if using the ec2 auth method, or the “friendly name” (i.e., role name or username) of the IAM principal authenticated. If a matching role is not found, login fails.
- use_token (bool.) – If True, uses the token in the response received from the auth request to set the “token” attribute on the current Client class instance.
Returns: The response from the AWS IAM login request attempt.
Return type: requests.Response
-
auth_cubbyhole
(token)[source]¶ POST /v1/sys/wrapping/unwrap
Parameters: token – Returns: Return type:
-
auth_ec2
(pkcs7, nonce=None, role=None, use_token=True, mount_point=u'aws-ec2')[source]¶ POST /auth/<mount point>/login
Parameters: - pkcs7 (str.) – PKCS#7 version of an AWS Instance Identity Document from the EC2 Metadata Service.
- nonce (str.) – Optional nonce returned as part of the original authentication request. Not required if the backend has “allow_instance_migration” or “disallow_reauthentication” options turned on.
- role (str.) – Identifier for the AWS auth backend role being requested.
- use_token (bool.) – If True, uses the token in the response received from the auth request to set the “token” attribute on the current Client class instance.
- mount_point (str.) – The “path” the AWS auth backend was mounted on. Vault currently defaults to “aws”. “aws-ec2” is the default argument for backwards comparability within this module.
Returns: parsed JSON response from the auth POST request
Return type: dict.
-
auth_gcp
(role, jwt, mount_point=u'gcp', use_token=True)[source]¶ POST /auth/<mount point>/login
Parameters: - role (str.) – identifier for the GCP auth backend role being requested
- jwt (str.) – JSON Web Token from the GCP metadata service
- mount_point (str.) – The “path” the GCP auth backend was mounted on. Vault currently defaults to “gcp”.
- use_token (bool.) – if True, uses the token in the response received from the auth request to set the “token” attribute on the current Client class instance.
Returns: parsed JSON response from the auth POST request
Return type: dict.
-
auth_github
(**kwargs)[source]¶ - Call to deprecated function ‘auth_github’. This method will be removed in version ‘0.8.0’ Please use the ‘login’ method on the ‘hvac.api.auth.github’ class moving forward.
- Docstring content from this method’s replacement copied below: Login using GitHub access token.
- Supported methods:
- POST: /auth/{mount_point}/login. Produces: 200 application/json
Parameters: - token (str | unicode) – GitHub personal API token.
- use_token (bool) – if True, uses the token in the response received from the auth request to set the “token”
attribute on the the
hvac.adapters.Adapter()
instance under the _adapater Client attribute. - mount_point (str | unicode) – The “path” the method/backend was mounted on.
Returns: The JSON response of the login request.
Return type: dict
-
auth_kubernetes
(role, jwt, use_token=True, mount_point=u'kubernetes')[source]¶ POST /auth/<mount_point>/login
Parameters: - role (str.) – Name of the role against which the login is being attempted.
- jwt (str.) – Signed JSON Web Token (JWT) for authenticating a service account.
- use_token (bool.) – if True, uses the token in the response received from the auth request to set the “token” attribute on the current Client class instance.
- mount_point (str.) – The “path” the k8s auth backend was mounted on. Vault currently defaults to “kubernetes”.
Returns: Parsed JSON response from the config POST request.
Return type: dict.
-
auth_ldap
(**kwargs)[source]¶ - Call to deprecated function ‘auth_ldap’. This method will be removed in version ‘0.8.0’ Please use the ‘login’ method on the ‘hvac.api.auth.ldap’ class moving forward.
- Docstring content from this method’s replacement copied below:
Log in with LDAP credentials.
- Supported methods:
- POST: /auth/{mount_point}/login/{username}. Produces: 200 application/json
Parameters: - username (str | unicode) – The username of the LDAP user
- password (str | unicode) – The password for the LDAP user
- use_token (bool) – if True, uses the token in the response received from the auth request to set the “token”
attribute on the the
hvac.adapters.Adapter()
instance under the _adapater Client attribute. - mount_point (str | unicode) – The “path” the method/backend was mounted on.
Returns: The response of the login_with_user request.
Return type: requests.Response
-
auth_tls
(mount_point=u'cert', use_token=True)[source]¶ POST /auth/<mount point>/login
Parameters: - mount_point –
- use_token –
Returns: Return type:
-
auth_userpass
(username, password, mount_point=u'userpass', use_token=True, **kwargs)[source]¶ POST /auth/<mount point>/login/<username>
Parameters: - username –
- password –
- mount_point –
- use_token –
- kwargs –
Returns: Return type:
-
close
(**kwargs)[source]¶ Call to deprecated function ‘close’. This method will be removed in version ‘0.8.0’ Please use the ‘close’ method on the ‘hvac.adapters’ class moving forward. Docstring content from this method’s replacement copied below: Close the underlying Requests session.
-
create_app_id
(app_id, policies, display_name=None, mount_point=u'app-id', **kwargs)[source]¶ POST /auth/<mount point>/map/app-id/<app_id>
Parameters: - app_id –
- policies –
- display_name –
- mount_point –
- kwargs –
Returns: Return type:
-
create_ec2_role
(role, bound_ami_id=None, bound_account_id=None, bound_iam_role_arn=None, bound_iam_instance_profile_arn=None, bound_ec2_instance_id=None, bound_region=None, bound_vpc_id=None, bound_subnet_id=None, role_tag=None, ttl=None, max_ttl=None, period=None, policies=None, allow_instance_migration=False, disallow_reauthentication=False, resolve_aws_unique_ids=None, mount_point=u'aws-ec2')[source]¶ POST /auth/<mount_point>/role/<role>
Parameters: - role –
- bound_ami_id –
- bound_account_id –
- bound_iam_role_arn –
- bound_iam_instance_profile_arn –
- bound_ec2_instance_id –
- bound_region –
- bound_vpc_id –
- bound_subnet_id –
- role_tag –
- ttl –
- max_ttl –
- period –
- policies –
- allow_instance_migration –
- disallow_reauthentication –
- resolve_aws_unique_ids –
- mount_point –
Returns: Return type:
-
create_ec2_role_tag
(role, policies=None, max_ttl=None, instance_id=None, disallow_reauthentication=False, allow_instance_migration=False, mount_point=u'aws-ec2')[source]¶ POST /auth/<mount_point>/role/<role>/tag
Parameters: - role –
- policies –
- max_ttl –
- instance_id –
- disallow_reauthentication –
- allow_instance_migration –
- mount_point –
Returns: Return type:
-
create_kubernetes_configuration
(kubernetes_host, kubernetes_ca_cert=None, token_reviewer_jwt=None, pem_keys=None, mount_point=u'kubernetes')[source]¶ POST /auth/<mount_point>/config
Parameters: - kubernetes_host (str.) – A host:port pair, or a URL to the base of the Kubernetes API server.
- kubernetes_ca_cert (str.) – PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
- token_reviewer_jwt (str.) – A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.
- pem_keys (list.) – Optional list of PEM-formated public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
- mount_point (str.) – The “path” the k8s auth backend was mounted on. Vault currently defaults to “kubernetes”.
Returns: Will be an empty body with a 204 status code upon success
Return type: requests.Response.
-
create_kubernetes_role
(name, bound_service_account_names, bound_service_account_namespaces, ttl=u'', max_ttl=u'', period=u'', policies=None, mount_point=u'kubernetes')[source]¶ POST /auth/<mount_point>/role/:name
Parameters: - name (str.) – Name of the role.
- bound_service_account_names (list.) – List of service account names able to access this role. If set to “*” all names are allowed, both this and bound_service_account_namespaces can not be “*”.
- bound_service_account_namespaces (list.) – List of namespaces allowed to access this role. If set to “*” all namespaces are allowed, both this and bound_service_account_names can not be set to “*”.
- ttl (str.) – The TTL period of tokens issued using this role in seconds.
- max_ttl (str.) – The maximum allowed lifetime of tokens issued in seconds using this role.
- period (str.) – If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this parameter.
- policies (list.) – Policies to be set on tokens issued using this role
- mount_point (str.) – The “path” the k8s auth backend was mounted on. Vault currently defaults to “kubernetes”.
Returns: Will be an empty body with a 204 status code upon success
Return type: requests.Response.
-
create_role
(role_name, mount_point=u'approle', **kwargs)[source]¶ POST /auth/<mount_point>/role/<role name>
Parameters: - role_name –
- mount_point –
- kwargs –
Returns: Return type:
-
create_role_custom_secret_id
(role_name, secret_id, meta=None, mount_point=u'approle')[source]¶ POST /auth/<mount_point>/role/<role name>/custom-secret-id
Parameters: - role_name –
- secret_id –
- meta –
- mount_point –
Returns: Return type:
-
create_role_secret_id
(role_name, meta=None, cidr_list=None, wrap_ttl=None, mount_point=u'approle')[source]¶ POST /auth/<mount_point>/role/<role name>/secret-id
Parameters: - role_name –
- meta –
- cidr_list –
- wrap_ttl –
- mount_point –
Returns: Return type:
-
create_token
(role=None, token_id=None, policies=None, meta=None, no_parent=False, lease=None, display_name=None, num_uses=None, no_default_policy=False, ttl=None, orphan=False, wrap_ttl=None, renewable=None, explicit_max_ttl=None, period=None)[source]¶ POST /auth/token/create
POST /auth/token/create/<role>
POST /auth/token/create-orphan
Parameters: - role –
- token_id –
- policies –
- meta –
- no_parent –
- lease –
- display_name –
- num_uses –
- no_default_policy –
- ttl –
- orphan –
- wrap_ttl –
- renewable –
- explicit_max_ttl –
- period –
Returns: Return type:
-
create_token_role
(role, allowed_policies=None, disallowed_policies=None, orphan=None, period=None, renewable=None, path_suffix=None, explicit_max_ttl=None)[source]¶ POST /auth/token/roles/<role>
Parameters: - role –
- allowed_policies –
- disallowed_policies –
- orphan –
- period –
- renewable –
- path_suffix –
- explicit_max_ttl –
Returns: Return type:
-
create_user_id
(user_id, app_id, cidr_block=None, mount_point=u'app-id', **kwargs)[source]¶ POST /auth/<mount point>/map/user-id/<user_id>
Parameters: - user_id –
- app_id –
- cidr_block –
- mount_point –
- kwargs –
Returns: Return type:
-
create_userpass
(username, password, policies, mount_point=u'userpass', **kwargs)[source]¶ POST /auth/<mount point>/users/<username>
Parameters: - username –
- password –
- policies –
- mount_point –
- kwargs –
Returns: Return type:
-
create_vault_ec2_certificate_configuration
(cert_name, aws_public_cert, mount_point=u'aws-ec2')[source]¶ POST /auth/<mount_point>/config/certificate/<cert_name>
Parameters: - cert_name –
- aws_public_cert –
- mount_point –
Returns: Return type:
-
create_vault_ec2_client_configuration
(access_key, secret_key, endpoint=None, mount_point=u'aws-ec2')[source]¶ POST /auth/<mount_point>/config/client
Parameters: - access_key –
- secret_key –
- endpoint –
- mount_point –
Returns: Return type:
-
delete_app_id
(app_id, mount_point=u'app-id')[source]¶ DELETE /auth/<mount_point>/map/app-id/<app_id>
Parameters: - app_id –
- mount_point –
Returns: Return type:
-
delete_ec2_role
(role, mount_point=u'aws-ec2')[source]¶ DELETE /auth/<mount_point>/role/<role>
Parameters: - role –
- mount_point –
Returns: Return type:
-
delete_kubernetes_role
(role, mount_point=u'kubernetes')[source]¶ DELETE /auth/<mount_point>/role/:role
Parameters: - role (Name of the role.) – str.
- mount_point (str.) – The “path” the k8s auth backend was mounted on. Vault currently defaults to “kubernetes”.
Returns: Will be an empty body with a 204 status code upon success.
Return type: requests.Response.
-
delete_role
(role_name, mount_point=u'approle')[source]¶ DELETE /auth/<mount_point>/role/<role name>
Parameters: - role_name –
- mount_point –
Returns: Return type:
-
delete_role_secret_id
(role_name, secret_id, mount_point=u'approle')[source]¶ POST /auth/<mount_point>/role/<role name>/secret-id/destroy
Parameters: - role_name –
- secret_id –
- mount_point –
Returns: Return type:
-
delete_role_secret_id_accessor
(role_name, secret_id_accessor, mount_point=u'approle')[source]¶ DELETE /auth/<mount_point>/role/<role name>/secret-id/<secret_id_accessor>
Parameters: - role_name –
- secret_id_accessor –
- mount_point –
Returns: Return type:
-
delete_token_role
(role)[source]¶ Deletes the named token role.
Parameters: role – Returns: Return type:
-
delete_user_id
(user_id, mount_point=u'app-id')[source]¶ DELETE /auth/<mount_point>/map/user-id/<user_id>
Parameters: - user_id –
- mount_point –
Returns: Return type:
-
delete_userpass
(username, mount_point=u'userpass')[source]¶ DELETE /auth/<mount point>/users/<username>
Parameters: - username –
- mount_point –
Returns: Return type:
-
delete_vault_ec2_client_configuration
(mount_point=u'aws-ec2')[source]¶ DELETE /auth/<mount_point>/config/client
Parameters: mount_point – Returns: Return type:
-
disable_audit_backend
(name)[source]¶ DELETE /sys/audit/<name>
Parameters: name – Returns: Return type:
-
disable_auth_backend
(mount_point)[source]¶ DELETE /sys/auth/<mount point>
Parameters: mount_point – Returns: Return type:
-
disable_secret_backend
(mount_point)[source]¶ DELETE /sys/mounts/<mount point>
Parameters: mount_point – Returns: Return type:
-
enable_audit_backend
(backend_type, description=None, options=None, name=None)[source]¶ POST /sys/audit/<name>
Parameters: - backend_type –
- description –
- options –
- name –
Returns: Return type:
-
enable_auth_backend
(backend_type, description=None, mount_point=None)[source]¶ POST /sys/auth/<mount point>
Parameters: - backend_type –
- description –
- mount_point –
Returns: Return type:
-
enable_secret_backend
(backend_type, description=None, mount_point=None, config=None, options=None)[source]¶ POST /sys/auth/<mount point>
Parameters: - backend_type –
- description –
- mount_point –
- config –
- options –
Returns: Return type:
-
generate_root
(key, nonce)[source]¶ PUT /sys/generate-root/update
Parameters: - key –
- nonce –
Returns: Return type:
-
generate_root_status
¶ GET /sys/generate-root/attempt
Returns: Return type:
-
get_app_id
(app_id, mount_point=u'app-id', wrap_ttl=None)[source]¶ GET /auth/<mount_point>/map/app-id/<app_id>
Parameters: - app_id –
- mount_point –
- wrap_ttl –
Returns: Return type:
-
get_auth_backend_tuning
(backend_type, mount_point=None)[source]¶ GET /sys/auth/<mount point>/tune
Parameters: - backend_type (str.) – Name of the auth backend to modify (e.g., token, approle, etc.)
- mount_point (str.) – The path the associated auth backend is mounted under.
Returns: The JSON response from Vault
Return type: dict.
-
get_ec2_role
(role, mount_point=u'aws-ec2')[source]¶ GET /auth/<mount_point>/role/<role>
Parameters: - role –
- mount_point –
Returns: Return type:
-
get_kubernetes_configuration
(mount_point=u'kubernetes')[source]¶ GET /auth/<mount_point>/config
Parameters: mount_point (str.) – The “path” the k8s auth backend was mounted on. Vault currently defaults to “kubernetes”. Returns: Parsed JSON response from the config GET request Return type: dict.
-
get_kubernetes_role
(name, mount_point=u'kubernetes')[source]¶ GET /auth/<mount_point>/role/:name
Parameters: - name (str.) – Name of the role.
- mount_point (str.) – The “path” the k8s auth backend was mounted on. Vault currently defaults to “kubernetes”.
Returns: Parsed JSON response from the read role GET request
Return type: dict.
-
get_policy
(name, parse=False)[source]¶ GET /sys/policy/<name>
Parameters: - name –
- parse –
Returns: Return type:
-
get_role
(role_name, mount_point=u'approle')[source]¶ GET /auth/<mount_point>/role/<role name>
Parameters: - role_name –
- mount_point –
Returns: Return type:
-
get_role_id
(role_name, mount_point=u'approle')[source]¶ GET /auth/<mount_point>/role/<role name>/role-id
Parameters: - role_name –
- mount_point –
Returns: Return type:
-
get_role_secret_id
(role_name, secret_id, mount_point=u'approle')[source]¶ POST /auth/<mount_point>/role/<role name>/secret-id/lookup
Parameters: - role_name –
- secret_id –
- mount_point –
Returns: Return type:
-
get_role_secret_id_accessor
(role_name, secret_id_accessor, mount_point=u'approle')[source]¶ POST /auth/<mount_point>/role/<role name>/secret-id-accessor/lookup
Parameters: - role_name –
- secret_id_accessor –
- mount_point –
Returns: Return type:
-
get_secret_backend_tuning
(backend_type, mount_point=None)[source]¶ GET /sys/mounts/<mount point>/tune
Parameters: - backend_type –
- mount_point –
Returns: Return type:
-
get_user_id
(user_id, mount_point=u'app-id', wrap_ttl=None)[source]¶ GET /auth/<mount_point>/map/user-id/<user_id>
Parameters: - user_id –
- mount_point –
- wrap_ttl –
Returns: Return type:
-
get_vault_ec2_certificate_configuration
(cert_name, mount_point=u'aws-ec2')[source]¶ GET /auth/<mount_point>/config/certificate/<cert_name>
Parameters: - cert_name –
- mount_point –
Returns: Return type:
-
get_vault_ec2_client_configuration
(mount_point=u'aws-ec2')[source]¶ GET /auth/<mount_point>/config/client
Parameters: mount_point – Returns: Return type:
-
github
¶ Accessor for the Client instance’s Github methods. Provided via the
hvac.api.auth.Github
class.Returns: This Client instance’s associated Github instance. Return type: hvac.api.auth.Github
-
ha_status
¶ GET /sys/leader
Returns: Return type:
-
initialize
(secret_shares=5, secret_threshold=3, pgp_keys=None)[source]¶ PUT /sys/init
Parameters: - secret_shares –
- secret_threshold –
- pgp_keys –
Returns: Return type:
-
is_authenticated
()[source]¶ Helper method which returns the authentication status of the client
Returns: Return type:
-
key_status
¶ GET /sys/key-status
Returns: Return type:
-
ldap
¶ Accessor for the Client instance’s LDAP methods. Provided via the
hvac.api.auth.Ldap
class.Returns: This Client instance’s associated Ldap instance. Return type: hvac.api.auth.Ldap
-
list_ec2_roles
(mount_point=u'aws-ec2')[source]¶ GET /auth/<mount_point>/roles?list=true
Parameters: mount_point – Returns: Return type:
-
list_kubernetes_roles
(mount_point=u'kubernetes')[source]¶ GET /auth/<mount_point>/role?list=true
Parameters: mount_point (str.) – The “path” the k8s auth backend was mounted on. Vault currently defaults to “kubernetes”. Returns: Parsed JSON response from the list roles GET request. Return type: dict.
-
list_role_secrets
(role_name, mount_point=u'approle')[source]¶ GET /auth/<mount_point>/role/<role name>/secret-id?list=true
Parameters: - role_name –
- mount_point –
Returns: Return type:
-
list_roles
(mount_point=u'approle')[source]¶ GET /auth/<mount_point>/role
Parameters: mount_point – Returns: Return type:
-
list_userpass
(mount_point=u'userpass')[source]¶ GET /auth/<mount point>/users?list=true
Parameters: mount_point – Returns: Return type:
-
list_vault_ec2_certificate_configurations
(mount_point=u'aws-ec2')[source]¶ GET /auth/<mount_point>/config/certificates?list=true
Parameters: mount_point – Returns: Return type:
-
logout
(revoke_token=False)[source]¶ Clears the token used for authentication, optionally revoking it before doing so.
Parameters: revoke_token – Returns: Return type:
-
lookup_token
(token=None, accessor=False, wrap_ttl=None)[source]¶ GET /auth/token/lookup/<token>
GET /auth/token/lookup-accessor/<token-accessor>
GET /auth/token/lookup-self
Parameters: - token (str.) –
- accessor (str.) –
- wrap_ttl (int.) –
Returns: Return type:
-
mfa
¶ Accessor for the Client instance’s MFA methods. Provided via the
hvac.api.auth.mfa
class.Returns: This Client instance’s associated MFA instance. Return type: hvac.api.auth.mfa
-
read_lease
(lease_id)[source]¶ PUT /sys/leases/lookup
Parameters: lease_id (str.) – Specifies the ID of the lease to lookup. Returns: Parsed JSON response from the leases PUT request Return type: dict.
-
read_userpass
(username, mount_point=u'userpass')[source]¶ GET /auth/<mount point>/users/<username>
Parameters: - username –
- mount_point –
Returns: Return type:
-
rekey
(key, nonce=None)[source]¶ PUT /sys/rekey/update
Parameters: - key –
- nonce –
Returns: Return type:
-
rekey_status
¶ GET /sys/rekey/init
Returns: Return type:
-
remount_secret_backend
(from_mount_point, to_mount_point)[source]¶ POST /sys/remount
Parameters: - from_mount_point –
- to_mount_point –
Returns: Return type:
-
renew_secret
(lease_id, increment=None)[source]¶ PUT /sys/leases/renew
Parameters: - lease_id –
- increment –
Returns: Return type:
-
renew_token
(token=None, increment=None, wrap_ttl=None)[source]¶ POST /auth/token/renew/<token>
POST /auth/token/renew-self
Parameters: - token –
- increment –
- wrap_ttl –
Returns: Return type:
-
revoke_secret
(lease_id)[source]¶ PUT /sys/revoke/<lease id>
Parameters: lease_id – Returns: Return type:
-
revoke_secret_prefix
(path_prefix)[source]¶ PUT /sys/revoke-prefix/<path prefix>
Parameters: path_prefix – Returns: Return type:
-
revoke_token
(token, orphan=False, accessor=False)[source]¶ POST /auth/token/revoke
POST /auth/token/revoke-orphan
POST /auth/token/revoke-accessor
Parameters: - token –
- orphan –
- accessor –
Returns: Return type:
-
revoke_token_prefix
(prefix)[source]¶ POST /auth/token/revoke-prefix/<prefix>
Parameters: prefix – Returns: Return type:
-
seal_status
¶ GET /sys/seal-status
Returns: Return type:
-
session
¶
-
set_policy
(name, rules)[source]¶ PUT /sys/policy/<name>
Parameters: - name –
- rules –
Returns: Return type:
-
set_role_id
(role_name, role_id, mount_point=u'approle')[source]¶ POST /auth/<mount_point>/role/<role name>/role-id
Parameters: - role_name –
- role_id –
- mount_point –
Returns: Return type:
-
start_generate_root
(key, otp=False)[source]¶ PUT /sys/generate-root/attempt
Parameters: - key –
- otp –
Returns: Return type:
-
start_rekey
(secret_shares=5, secret_threshold=3, pgp_keys=None, backup=False)[source]¶ PUT /sys/rekey/init
Parameters: - secret_shares –
- secret_threshold –
- pgp_keys –
- backup –
Returns: Return type:
-
token
¶
-
transit_create_key
(name, convergent_encryption=None, derived=None, exportable=None, key_type=None, mount_point=u'transit')[source]¶ POST /<mount_point>/keys/<name>
Parameters: - name –
- convergent_encryption –
- derived –
- exportable –
- key_type –
- mount_point –
Returns: Return type:
-
transit_decrypt_data
(name, ciphertext, context=None, nonce=None, batch_input=None, mount_point=u'transit')[source]¶ POST /<mount_point>/decrypt/<name>
Parameters: - name –
- ciphertext –
- context –
- nonce –
- batch_input –
- mount_point –
Returns: Return type:
-
transit_delete_key
(name, mount_point=u'transit')[source]¶ DELETE /<mount_point>/keys/<name>
Parameters: - name –
- mount_point –
Returns: Return type:
-
transit_encrypt_data
(name, plaintext, context=None, key_version=None, nonce=None, batch_input=None, key_type=None, convergent_encryption=None, mount_point=u'transit')[source]¶ POST /<mount_point>/encrypt/<name>
Parameters: - name –
- plaintext –
- context –
- key_version –
- nonce –
- batch_input –
- key_type –
- convergent_encryption –
- mount_point –
Returns: Return type:
-
transit_export_key
(name, key_type, version=None, mount_point=u'transit')[source]¶ GET /<mount_point>/export/<key_type>/<name>(/<version>)
Parameters: - name –
- key_type –
- version –
- mount_point –
Returns: Return type:
-
transit_generate_data_key
(name, key_type, context=None, nonce=None, bits=None, mount_point=u'transit')[source]¶ POST /<mount_point>/datakey/<type>/<name>
Parameters: - name –
- key_type –
- context –
- nonce –
- bits –
- mount_point –
Returns: Return type:
-
transit_generate_hmac
(name, hmac_input, key_version=None, algorithm=None, mount_point=u'transit')[source]¶ POST /<mount_point>/hmac/<name>(/<algorithm>)
Parameters: - name –
- hmac_input –
- key_version –
- algorithm –
- mount_point –
Returns: Return type:
-
transit_generate_rand_bytes
(data_bytes=None, output_format=None, mount_point=u'transit')[source]¶ POST /<mount_point>/random(/<data_bytes>)
Parameters: - data_bytes –
- output_format –
- mount_point –
Returns: Return type:
-
transit_hash_data
(hash_input, algorithm=None, output_format=None, mount_point=u'transit')[source]¶ POST /<mount_point>/hash(/<algorithm>)
Parameters: - hash_input –
- algorithm –
- output_format –
- mount_point –
Returns: Return type:
-
transit_list_keys
(mount_point=u'transit')[source]¶ GET /<mount_point>/keys?list=true
Parameters: mount_point – Returns: Return type:
-
transit_read_key
(name, mount_point=u'transit')[source]¶ GET /<mount_point>/keys/<name>
Parameters: - name –
- mount_point –
Returns: Return type:
-
transit_rewrap_data
(name, ciphertext, context=None, key_version=None, nonce=None, batch_input=None, mount_point=u'transit')[source]¶ POST /<mount_point>/rewrap/<name>
Parameters: - name –
- ciphertext –
- context –
- key_version –
- nonce –
- batch_input –
- mount_point –
Returns: Return type:
-
transit_rotate_key
(name, mount_point=u'transit')[source]¶ POST /<mount_point>/keys/<name>/rotate
Parameters: - name –
- mount_point –
Returns: Return type:
-
transit_sign_data
(name, input_data, key_version=None, algorithm=None, context=None, prehashed=None, mount_point=u'transit', signature_algorithm=u'pss')[source]¶ POST /<mount_point>/sign/<name>(/<algorithm>)
Parameters: - name –
- input_data –
- key_version –
- algorithm –
- context –
- prehashed –
- mount_point –
- signature_algorithm –
Returns: Return type:
-
transit_update_key
(name, min_decryption_version=None, min_encryption_version=None, deletion_allowed=None, mount_point=u'transit')[source]¶ POST /<mount_point>/keys/<name>/config
Parameters: - name –
- min_decryption_version –
- min_encryption_version –
- deletion_allowed –
- mount_point –
Returns: Return type:
-
transit_verify_signed_data
(name, input_data, algorithm=None, signature=None, hmac=None, context=None, prehashed=None, mount_point=u'transit', signature_algorithm=u'pss')[source]¶ POST /<mount_point>/verify/<name>(/<algorithm>)
Parameters: - name –
- input_data –
- algorithm –
- signature –
- hmac –
- context –
- prehashed –
- mount_point –
- signature_algorithm –
Returns: Return type:
-
tune_auth_backend
(backend_type, mount_point=None, default_lease_ttl=None, max_lease_ttl=None, description=None, audit_non_hmac_request_keys=None, audit_non_hmac_response_keys=None, listing_visibility=None, passthrough_request_headers=None)[source]¶ POST /sys/auth/<mount point>/tune
Parameters: - backend_type (str.) – Name of the auth backend to modify (e.g., token, approle, etc.)
- mount_point (str.) – The path the associated auth backend is mounted under.
- description (str.) – Specifies the description of the mount. This overrides the current stored value, if any.
- default_lease_ttl (int.) –
- max_lease_ttl (int.) –
- audit_non_hmac_request_keys (list.) – Specifies the comma-separated list of keys that will not be HMAC’d by audit devices in the request data object.
- audit_non_hmac_response_keys (list.) – Specifies the comma-separated list of keys that will not be HMAC’d by audit devices in the response data object.
- listing_visibility (str.) – Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are “unauth” or “”.
- passthrough_request_headers (list.) – Comma-separated list of headers to whitelist and pass from the request to the backend.
Returns: The JSON response from Vault
Return type: dict.
-
tune_secret_backend
(backend_type, mount_point=None, default_lease_ttl=None, max_lease_ttl=None, description=None, audit_non_hmac_request_keys=None, audit_non_hmac_response_keys=None, listing_visibility=None, passthrough_request_headers=None)[source]¶ POST /sys/mounts/<mount point>/tune
Parameters: - backend_type (str) – Type of the secret backend to modify
- mount_point (str) – The path the associated secret backend is mounted
- description (str) – Specifies the description of the mount. This overrides the current stored value, if any.
- default_lease_ttl (int) – Default time-to-live. This overrides the global default. A value of 0 is equivalent to the system default TTL
- max_lease_ttl (int) – Maximum time-to-live. This overrides the global default. A value of 0 are equivalent and set to the system max TTL.
- audit_non_hmac_request_keys (list) – Specifies the comma-separated list of keys that will not be HMAC’d by audit devices in the request data object.
- audit_non_hmac_response_keys (list) – Specifies the comma-separated list of keys that will not be HMAC’d by audit devices in the response data object.
- listing_visibility (str) – Speficies whether to show this mount in the UI-specific listing endpoint. Valid values are “unauth” or “”.
- passthrough_request_headers (str) – Comma-separated list of headers to whitelist and pass from the request to the backend.
Returns: The JSON response from Vault
Return type: dict.
-
update_userpass_password
(username, password, mount_point=u'userpass')[source]¶ POST /auth/<mount point>/users/<username>/password
Parameters: - username –
- password –
- mount_point –
Returns: Return type:
-
update_userpass_policies
(username, policies, mount_point=u'userpass')[source]¶ POST /auth/<mount point>/users/<username>/policies
Parameters: - username –
- policies –
- mount_point –
Returns: Return type:
-
url
¶
-
static
urljoin
(*args, **kwargs)[source]¶ - Call to deprecated function ‘urljoin’. This method will be removed in version ‘0.8.0’ Please use the ‘urljoin’ method on the ‘hvac.adapters’ class moving forward.
- Docstring content from this method’s replacement copied below: Joins given arguments into a url. Trailing and leading slashes are stripped for each argument.
Parameters: args (str | unicode) – Multiple parts of a URL to be combined into one string. Returns: Full URL combining all provided arguments Return type: str | unicode
-