GCP

Configure

Gcp.configure(credentials=None, ttl=None, max_ttl=None, mount_point='gcp')[source]

Configure shared information for the Gcp secrets engine.

Supported methods:

POST: /{mount_point}/config. Produces: 204 (empty body)

Parameters:
  • credentials (str | unicode) – JSON credentials (either file contents or @path/to/file’) See docs for alternative ways to pass in to this parameter, as well as the required permissions.

  • ttl (int | str) – – Specifies default config TTL for long-lived credentials (i.e. service account keys). Accepts integer number of seconds or Go duration format string.

  • max_ttl (int | str) – Specifies the maximum config TTL for long-lived credentials (i.e. service account keys). Accepts integer number of seconds or Go duration format string.**

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns:

The response of the request.

Return type:

requests.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')


credentials = test_utils.load_config_file('example.jwt.json')
configure_response = client.secrets.gcp.configure(
    credentials=credentials,
    max_ttl=3600,
)
print(configure_response)

Example output:

<Response [204]>

Rotate Root Credentials

Gcp.rotate_root_credentials(mount_point='gcp')[source]

Rotate the GCP service account credentials used by Vault for this mount.

A new key will be generated for the service account, replacing the internal value, and then a deletion of the old service account key is scheduled. Note that this does not create a new service account, only a new version of the service account key.

Supported methods:

POST: /{mount_point}/config/rotate-root. Produces: 200 application/json

Parameters:

mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns:

The JSON response of the request.

Return type:

dict

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

rotate_response = client.secrets.gcp.rotate_root_credentials()

Read Config

Gcp.read_config(mount_point='gcp')[source]

Read the configured shared information for the Gcp secrets engine.

Credentials will be omitted from returned data.

Supported methods:

GET: /{mount_point}/config. Produces: 200 application/json

Parameters:

mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns:

The JSON response of the request.

Return type:

dict

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

read_config_response = client.secrets.gcp.read_config()
print('Max TTL for GCP secrets engine set to: {max_ttl}'.format(max_ttl=read_config_response['data']['max_ttl']))

Example output:

Max TTL for GCP secrets engine set to: 3600

Create Or Update Roleset

Gcp.create_or_update_roleset(name, project, bindings, secret_type=None, token_scopes=None, mount_point='gcp')[source]

Create a roleset or update an existing roleset.

See roleset docs for the GCP secrets backend to learn more about what happens when you create or update a roleset.

Supported methods:

POST: /{mount_point}/roleset/{name}. Produces: 204 (empty body)

Parameters:
  • name (str | unicode) – Name of the role. Cannot be updated.

  • project (str | unicode) – Name of the GCP project that this roleset’s service account will belong to. Cannot be updated.

  • bindings (str | unicode) – Bindings configuration string (expects HCL or JSON format in raw or base64-encoded string)

  • secret_type (str | unicode) – Cannot be updated.

  • token_scopes (list[str]) – List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only)

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns:

The response of the request.

Return type:

requests.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')


bindings = """
    resource "//cloudresourcemanager.googleapis.com/project/some-gcp-project-id" {
      roles = [
        "roles/viewer"
      ],
    }
"""
token_scopes = [
    'https://www.googleapis.com/auth/cloud-platform',
    'https://www.googleapis.com/auth/bigquery',
]

roleset_response = client.secrets.gcp.create_or_update_roleset(
    name='hvac-doctest',
    project='some-gcp-project-id',
    bindings=bindings,
    token_scopes=token_scopes,
)

Rotate Roleset Account

Gcp.rotate_roleset_account(name, mount_point='gcp')[source]

Rotate the service account this roleset uses to generate secrets.

This also replaces the key access_token roleset. This can be used to invalidate old secrets generated by the roleset or fix issues if a roleset’s service account (and/or keys) was changed outside of Vault (i.e. through GCP APIs/cloud console).

Supported methods:

POST: /{mount_point}/roleset/{name}/rotate. Produces: 204 (empty body)

Parameters:
  • name (str | unicode) – Name of the role.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns:

The response of the request.

Return type:

requests.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

rotate_response = client.secrets.gcp.rotate_roleset_account(name='hvac-doctest')

Rotate Roleset Account Key

Gcp.rotate_roleset_account_key(name, mount_point='gcp')[source]

Rotate the service account key this roleset uses to generate access tokens.

This does not recreate the roleset service account.

Supported methods:

POST: /{mount_point}/roleset/{name}/rotate-key. Produces: 204 (empty body)

Parameters:
  • name (str | unicode) – Name of the role.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns:

The response of the request.

Return type:

requests.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

rotate_response = client.secrets.gcp.rotate_roleset_account_key(name='hvac-doctest')

Read Roleset

Gcp.read_roleset(name, mount_point='gcp')[source]

Read a roleset.

Supported methods:

GET: /{mount_point}/roleset/{name}. Produces: 200 application/json

Parameters:
  • name (str | unicode) – Name of the role.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns:

The JSON response of the request.

Return type:

dict

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

read_response = client.secrets.gcp.read_roleset(name='hvac-doctest')

List Rolesets

Gcp.list_rolesets(mount_point='gcp')[source]

List configured rolesets.

Supported methods:

LIST: /{mount_point}/rolesets. Produces: 200 application/json

Parameters:

mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns:

The JSON response of the request.

Return type:

dict

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

list_response = client.secrets.gcp.list_rolesets()

Delete Roleset

Gcp.delete_roleset(name, mount_point='gcp')[source]

Delete an existing roleset by the given name.

Supported methods:

DELETE: /{mount_point}/roleset/{name} Produces: 200 application/json

Parameters:
  • name (str | unicode) – Name of the role.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns:

The response of the request.

Return type:

requests.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

delete_response = client.secrets.gcp.delete_roleset(name='hvac-doctest')

Generate Oauth2 Access Token

Gcp.generate_oauth2_access_token(roleset, mount_point='gcp')[source]

Generate an OAuth2 token with the scopes defined on the roleset.

This OAuth access token can be used in GCP API calls, e.g. curl -H “Authorization: Bearer $TOKEN” …

Supported methods:

GET: /{mount_point}/token/{roleset}. Produces: 200 application/json

Parameters:
  • roleset (str | unicode) – Name of an roleset with secret type access_token to generate access_token under.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns:

The JSON response of the request.

Return type:

dict

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

token_response = client.secrets.gcp.generate_oauth2_access_token(roleset='hvac-doctest')

Generate Service Account Key

Gcp.generate_service_account_key(roleset, key_algorithm='KEY_ALG_RSA_2048', key_type='TYPE_GOOGLE_CREDENTIALS_FILE', method='POST', mount_point='gcp')[source]

Generate Secret (IAM Service Account Creds): Service Account Key

If using GET (‘read’), the optional parameters will be set to their defaults. Use POST if you want to specify different values for these params.

Parameters:
  • roleset (str | unicode) – Name of an roleset with secret type service_account_key to generate key under.

  • key_algorithm (str | unicode) – Key algorithm used to generate key. Defaults to 2k RSA key You probably should not choose other values (i.e. 1k),

  • key_type (str | unicode) – Private key type to generate. Defaults to JSON credentials file.

  • method (str | unicode) – Supported methods: POST: /{mount_point}/key/{roleset}. Produces: 200 application/json GET: /{mount_point}/key/{roleset}. Produces: 200 application/json

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns:

The JSON response of the request.

Return type:

dict

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

key_response = client.secrets.gcp.generate_service_account_key(roleset='hvac-doctest')

Create Or Update Static Account

Gcp.create_or_update_static_account(name, service_account_email, bindings=None, secret_type=None, token_scopes=None, mount_point='gcp')[source]

Create a static account or update an existing static account.

See static account docs for the GCP secrets backend to learn more about what happens when you create or update a static account.

Supported methods:

POST: /{mount_point}/static-account/{name}. Produces: 204 (empty body)

Parameters:
  • name (str | unicode) – Name of the static account. Cannot be updated.

  • service_account_email (str | unicode) – Email of the GCP service account to manage. Cannot be updated.

  • bindings (str | unicode) – Bindings configuration string (expects HCL or JSON format in raw or base64-encoded string)

  • secret_type (str | unicode) – Type of secret generated for this static account. Accepted values: access_token, service_account_key. Cannot be updated.

  • token_scopes (list[str]) – List of OAuth scopes to assign to access_token secrets generated under this static account (access_token static accounts only)

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns:

The response of the request.

Return type:

requests.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

create_response = client.secrets.gcp.create_or_update_static_account(
  name="hvac-doctest",
  service_account_email="hvac-doctest@some-gcp-project-id.iam.gserviceaccount.com",
  secret_type="access_token",
  token_scopes=["https://www.googleapis.com/auth/cloud-platform"],
)

Rotate Static Account Key

Gcp.rotate_static_account_key(name, mount_point='gcp')[source]

Rotate the service account key this static account uses to generate access tokens.

This does not recreate the service account.

Supported methods:

POST: /{mount_point}/static-account/{name}/rotate-key. Produces: 204 (empty body)

Parameters:
  • name (str | unicode) – Name of the static account.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns:

The response of the request.

Return type:

requests.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

rotate_response = client.secrets.gcp.rotate_static_account_key(name="hvac-doctest")

Read Static Account

Gcp.read_static_account(name, mount_point='gcp')[source]

Read a static account.

Supported methods:

GET: /{mount_point}/static-account/{name}. Produces: 200 application/json

Parameters:
  • name (str | unicode) – Name of the static account.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns:

The JSON response of the request.

Return type:

dict

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

read_response = client.secrets.gcp.read_static_account(name="hvac-doctest")

List Static Accounts

Gcp.list_static_accounts(mount_point='gcp')[source]

List configured static accounts.

Supported methods:

LIST: /{mount_point}/static-accounts. Produces: 200 application/json

Parameters:

mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns:

The JSON response of the request.

Return type:

dict

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

list_response = client.secrets.gcp.list_static_accounts()

Delete Static Account

Gcp.delete_static_account(name, mount_point='gcp')[source]

Delete an existing static account by the given name.

Supported methods:

DELETE: /{mount_point}/static-account/{name} Produces: 204 (empty body)

Parameters:
  • name (str | unicode) – Name of the static account.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns:

The response of the request.

Return type:

requests.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

delete_response = client.secrets.gcp.delete_static_account(name="hvac-doctest")

Generate Static Account OAuth2 Access Token

Gcp.generate_static_account_oauth2_access_token(name, mount_point='gcp')[source]

Generate an OAuth2 token with the scopes defined on the static account.

This OAuth access token can be used in GCP API calls, e.g. curl -H “Authorization: Bearer $TOKEN” …

Supported methods:

GET: /{mount_point}/static-account/{name}/token. Produces: 200 application/json

Parameters:
  • name (str | unicode) – Name of a static account with secret type access_token to generate access_token under.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns:

The JSON response of the request.

Return type:

dict

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

token_response = client.secrets.gcp.generate_static_account_oauth2_access_token(
  name="hvac-doctest",
)

Generate Static Account Service Account Key

Gcp.generate_static_account_service_account_key(name, key_algorithm='KEY_ALG_RSA_2048', key_type='TYPE_GOOGLE_CREDENTIALS_FILE', method='POST', mount_point='gcp')[source]

Generate Secret (IAM Service Account Creds): Service Account Key

If using GET (‘read’), the optional parameters will be set to their defaults. Use POST if you want to specify different values for these params.

Parameters:
  • name (str | unicode) – Name of a static account with secret type service_account_key to generate key under.

  • key_algorithm (str | unicode) – Key algorithm used to generate key. Defaults to 2k RSA key You probably should not choose other values (i.e. 1k),

  • key_type (str | unicode) – Private key type to generate. Defaults to JSON credentials file.

  • method (str | unicode) – Supported methods: POST: /v1/{mount_point}/static-account/{name}/key. Produces: 200 application/json GET: /v1/{mount_point}/static-account/{name}/key. Produces: 200 application/json

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns:

The JSON response of the request.

Return type:

dict

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

key_response = client.secrets.gcp.generate_static_account_service_account_key(
  name="hvac-doctest",
)

Create Or Update Impersonated Account

Gcp.create_or_update_impersonated_account(name, service_account_email, token_scopes=None, ttl=None, mount_point='gcp')[source]

Create an impersonated account or update an existing impersonated account.

See impersonated account docs for the GCP secrets backend to learn more about what happens when you create or update an impersonated account.

Supported methods:

POST: /{mount_point}/impersonated-account/{name}. Produces: 204 (empty body)

Parameters:
  • name (str | unicode) – Name of the impersonated account. Cannot be updated.

  • service_account_email (str | unicode) – Email of the GCP service account to manage. Cannot be updated.

  • token_scopes (list[str]) – List of OAuth scopes to assign to access tokens generated under this impersonated account

  • ttl (str | unicode) – Lifetime of the token generated. Defaults to 1 hour and is limited to a maximum of 12 hours. Uses duration format strings.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns:

The response of the request.

Return type:

requests.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

create_response = client.secrets.gcp.create_or_update_impersonated_account(
  name="hvac-doctest",
  service_account_email="hvac-doctest@some-gcp-project-id.iam.gserviceaccount.com",
  token_scopes=["https://www.googleapis.com/auth/cloud-platform"],
  ttl='4h'
)

Read Impersonated Account

Gcp.read_impersonated_account(name, mount_point='gcp')[source]

Read an impersonated account.

Supported methods:

GET: /{mount_point}/impersonated-account/{name}. Produces: 200 application/json

Parameters:
  • name (str | unicode) – Name of the impersonated account.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns:

The JSON response of the request.

Return type:

dict

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

read_response = client.secrets.gcp.read_impersonated_account(name="hvac-doctest")

List Impersonated Accounts

Gcp.list_impersonated_accounts(mount_point='gcp')[source]

List configured impersonated accounts.

Supported methods:

LIST: /{mount_point}/impersonated-accounts. Produces: 200 application/json

Parameters:

mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns:

The JSON response of the request.

Return type:

dict

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

list_response = client.secrets.gcp.list_impersonated_accounts()

Delete Impersonated Account

Gcp.delete_impersonated_account(name, mount_point='gcp')[source]

Delete an existing impersonated account by the given name.

Supported methods:

DELETE: /{mount_point}/impersonated-account/{name} Produces: 204 (empty body)

Parameters:
  • name (str | unicode) – Name of the impersonated account.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns:

The response of the request.

Return type:

requests.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

delete_response = client.secrets.gcp.delete_impersonated_account(name="hvac-doctest")

Generate Impersonated Account OAuth2 Access Token

Gcp.generate_impersonated_account_oauth2_access_token(name, mount_point='gcp')[source]

Generate an OAuth2 token with the scopes defined on the impersonated account.

This OAuth access token can be used in GCP API calls, e.g. curl -H “Authorization: Bearer $TOKEN” …

Supported methods:

GET: /{mount_point}/impersonated-account/{name}/token. Produces: 200 application/json

Parameters:
  • name (str | unicode) – Name of the impersonated account to generate an access token under.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns:

The JSON response of the request.

Return type:

dict

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

token_response = client.secrets.gcp.generate_impersonated_account_oauth2_access_token(
  name="hvac-doctest",
)