PolicyΒΆ
Manipulate policiesΒΆ
policies = client.sys.list_policies()['data']['policies'] # => ['root']
policy = """
path "sys" {
capabilities = ["deny"]
}
path "secret/*" {
capabilities = ["read", "list"]
}
path "secret/foo" {
capabilities = ["create", "read", "update", "delete", "list"]
}
"""
client.sys.create_or_update_policy(
name='secret-writer',
policy=policy,
)
client.sys.delete_policy('oldthing')
# The get_policy method offers some additional features and is available in the Client class.
policy = client.get_policy('mypolicy')
# Requires pyhcl to automatically parse HCL into a Python dictionary
policy = client.get_policy('mypolicy', parse=True)
Using Python Variable(s) In Policy RulesΒΆ
import hvac
client = hvac.Client(url='https://127.0.0.1:8200')
key = 'some-key-string'
policy_body = """
path "transit/encrypt/%s" {
capabilities = ["update"]
}
""" % key
client.sys.create_or_update_policy(
name='my-policy-name',
policy=policy_body,
)
List PoliciesΒΆ
-
Policy.
list_policies
()[source] List all configured policies.
- Supported methods:
GET: /sys/policy. Produces: 200 application/json
- Returns
The JSON response of the request.
- Return type
dict
ExamplesΒΆ
import hvac
client = hvac.Client(url='https://127.0.0.1:8200')
list_policies_resp = client.sys.list_policies()['data']['policies']
print('List of currently configured policies: %s' % ', '.join(list_policies_resp))
Example output:
List of currently configured policies: default, my-policy-name, secret-writer, root
Read PolicyΒΆ
-
Policy.
read_policy
(name)[source] Retrieve the policy body for the named policy.
- Supported methods:
GET: /sys/policy/{name}. Produces: 200 application/json
- Parameters
name (str | unicode) β The name of the policy to retrieve.
- Returns
The response of the request
- Return type
dict
ExamplesΒΆ
import hvac
client = hvac.Client(url='https://127.0.0.1:8200')
hvac_policy_rules = client.sys.read_policy(name='secret-writer')['data']['rules']
print('secret-writer policy rules:\n%s' % hvac_policy_rules)
Example output:
secret-writer policy rules:
path "sys" {
capabilities = ["deny"]
}
path "secret/*" {
capabilities = ["read", "list"]
}
path "secret/foo" {
capabilities = ["create", "read", "update", "delete", "list"]
}
...
Create Or Update PolicyΒΆ
-
Policy.
create_or_update_policy
(name, policy, pretty_print=True)[source] Add a new or update an existing policy.
Once a policy is updated, it takes effect immediately to all associated users.
- Supported methods:
PUT: /sys/policy/{name}. Produces: 204 (empty body)
- Parameters
name (str | unicode) β Specifies the name of the policy to create.
policy (str | unicode | dict) β Specifies the policy document.
pretty_print (bool) β If True, and provided a dict for the policy argument, send the policy JSON to Vault with βprettyβ formatting.
- Returns
The response of the request.
- Return type
requests.Response
ExamplesΒΆ
import hvac
client = hvac.Client(url='https://127.0.0.1:8200')
policy = '''
path "sys" {
capabilities = ["deny"]
}
path "secret" {
capabilities = ["create", "read", "update", "delete", "list"]
}
'''
client.sys.create_or_update_policy(
name='secret-writer',
policy=policy,
)
Delete PolicyΒΆ
-
Policy.
delete_policy
(name)[source] Delete the policy with the given name.
This will immediately affect all users associated with this policy.
- Supported methods:
DELETE: /sys/policy/{name}. Produces: 204 (empty body)
- Parameters
name (str | unicode) β Specifies the name of the policy to delete.
- Returns
The response of the request.
- Return type
requests.Response
ExamplesΒΆ
import hvac
client = hvac.Client(url='https://127.0.0.1:8200')
client.sys.delete_policy(
name='secret-writer',
)