GCP

Configure

Gcp.configure(credentials=None, ttl=None, max_ttl=None, mount_point='gcp')[source]

Configure shared information for the Gcp secrets engine.

Supported methods:

POST: /{mount_point}/config. Produces: 204 (empty body)

Parameters:
  • credentials (str | unicode) – JSON credentials (either file contents or β€˜@path/to/file’) See docs for alternative ways to pass in to this parameter, as well as the required permissions.

  • ttl (int | str) – – Specifies default config TTL for long-lived credentials (i.e. service account keys). Accepts integer number of seconds or Go duration format string.

  • max_ttl (int | str) – Specifies the maximum config TTL for long-lived credentials (i.e. service account keys). Accepts integer number of seconds or Go duration format string.**

  • mount_point (str | unicode) – The β€œpath” the method/backend was mounted on.

Returns:

The response of the request.

Return type:

requests.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')


credentials = test_utils.load_config_file('example.jwt.json')
configure_response = client.secrets.gcp.configure(
    credentials=credentials,
    max_ttl=3600,
)
print(configure_response)

Example output:

<Response [204]>

Rotate Root Credentials

Gcp.rotate_root_credentials(mount_point='gcp')[source]

Rotate the GCP service account credentials used by Vault for this mount.

A new key will be generated for the service account, replacing the internal value, and then a deletion of the old service account key is scheduled. Note that this does not create a new service account, only a new version of the service account key.

Supported methods:

POST: /{mount_point}/config/rotate-root. Produces: 200 application/json

Parameters:

mount_point (str | unicode) – The β€œpath” the method/backend was mounted on.

Returns:

The JSON response of the request.

Return type:

dict

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

rotate_response = client.secrets.gcp.rotate_root_credentials()

Read Config

Gcp.read_config(mount_point='gcp')[source]

Read the configured shared information for the Gcp secrets engine.

Credentials will be omitted from returned data.

Supported methods:

GET: /{mount_point}/config. Produces: 200 application/json

Parameters:

mount_point (str | unicode) – The β€œpath” the method/backend was mounted on.

Returns:

The JSON response of the request.

Return type:

dict

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

read_config_response = client.secrets.gcp.read_config()
print('Max TTL for GCP secrets engine set to: {max_ttl}'.format(max_ttl=read_config_response['data']['max_ttl']))

Example output:

Max TTL for GCP secrets engine set to: 3600

Create Or Update Roleset

Gcp.create_or_update_roleset(name, project, bindings, secret_type=None, token_scopes=None, mount_point='gcp')[source]

Create a roleset or update an existing roleset.

See roleset docs for the GCP secrets backend to learn more about what happens when you create or update a roleset.

Supported methods:

POST: /{mount_point}/roleset/{name}. Produces: 204 (empty body)

Parameters:
  • name (str | unicode) – Name of the role. Cannot be updated.

  • project (str | unicode) – Name of the GCP project that this roleset’s service account will belong to. Cannot be updated.

  • bindings (str | unicode) – Bindings configuration string (expects HCL or JSON format in raw or base64-encoded string)

  • secret_type (str | unicode) – Cannot be updated.

  • token_scopes (list[str]) – List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only)

  • mount_point (str | unicode) – The β€œpath” the method/backend was mounted on.

Returns:

The response of the request.

Return type:

requests.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')


bindings = """
    resource "//cloudresourcemanager.googleapis.com/project/some-gcp-project-id" {
      roles = [
        "roles/viewer"
      ],
    }
"""
token_scopes = [
    'https://www.googleapis.com/auth/cloud-platform',
    'https://www.googleapis.com/auth/bigquery',
]

roleset_response = client.secrets.gcp.create_or_update_roleset(
    name='hvac-doctest',
    project='some-gcp-project-id',
    bindings=bindings,
    token_scopes=token_scopes,
)

Rotate Roleset Account

Gcp.rotate_roleset_account(name, mount_point='gcp')[source]

Rotate the service account this roleset uses to generate secrets.

This also replaces the key access_token roleset. This can be used to invalidate old secrets generated by the roleset or fix issues if a roleset’s service account (and/or keys) was changed outside of Vault (i.e. through GCP APIs/cloud console).

Supported methods:

POST: /{mount_point}/roleset/{name}/rotate. Produces: 204 (empty body)

Parameters:
  • name (str | unicode) – Name of the role.

  • mount_point (str | unicode) – The β€œpath” the method/backend was mounted on.

Returns:

The response of the request.

Return type:

requests.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

rotate_response = client.secrets.gcp.rotate_roleset_account(name='hvac-doctest')

Rotate Roleset Account Key

Gcp.rotate_roleset_account_key(name, mount_point='gcp')[source]

Rotate the service account key this roleset uses to generate access tokens.

This does not recreate the roleset service account.

Supported methods:

POST: /{mount_point}/roleset/{name}/rotate-key. Produces: 204 (empty body)

Parameters:
  • name (str | unicode) – Name of the role.

  • mount_point (str | unicode) – The β€œpath” the method/backend was mounted on.

Returns:

The response of the request.

Return type:

requests.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

rotate_response = client.secrets.gcp.rotate_roleset_account_key(name='hvac-doctest')

Read Roleset

Gcp.read_roleset(name, mount_point='gcp')[source]

Read a roleset.

Supported methods:

GET: /{mount_point}/roleset/{name}. Produces: 200 application/json

Parameters:
  • name (str | unicode) – Name of the role.

  • mount_point (str | unicode) – The β€œpath” the method/backend was mounted on.

Returns:

The JSON response of the request.

Return type:

dict

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

read_response = client.secrets.gcp.read_roleset(name='hvac-doctest')

List Rolesets

Gcp.list_rolesets(mount_point='gcp')[source]

List configured rolesets.

Supported methods:

LIST: /{mount_point}/rolesets. Produces: 200 application/json

Parameters:

mount_point (str | unicode) – The β€œpath” the method/backend was mounted on.

Returns:

The JSON response of the request.

Return type:

dict

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

list_response = client.secrets.gcp.list_rolesets()

Delete Roleset

Gcp.delete_roleset(name, mount_point='gcp')[source]

Delete an existing roleset by the given name.

Supported methods:

DELETE: /{mount_point}/roleset/{name} Produces: 200 application/json

Parameters:
  • name (str | unicode) – Name of the role.

  • mount_point (str | unicode) – The β€œpath” the method/backend was mounted on.

Returns:

The response of the request.

Return type:

requests.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

delete_response = client.secrets.gcp.delete_roleset(name='hvac-doctest')

Generate Oauth2 Access Token

Gcp.generate_oauth2_access_token(roleset, mount_point='gcp')[source]

Generate an OAuth2 token with the scopes defined on the roleset.

This OAuth access token can be used in GCP API calls, e.g. curl -H β€œAuthorization: Bearer $TOKEN” …

Supported methods:

GET: /{mount_point}/token/{roleset}. Produces: 200 application/json

Parameters:
  • roleset (str | unicode) – Name of an roleset with secret type access_token to generate access_token under.

  • mount_point (str | unicode) – The β€œpath” the method/backend was mounted on.

Returns:

The JSON response of the request.

Return type:

dict

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

token_response = client.secrets.gcp.generate_oauth2_access_token(roleset='hvac-doctest')

Generate Service Account Key

Gcp.generate_service_account_key(roleset, key_algorithm='KEY_ALG_RSA_2048', key_type='TYPE_GOOGLE_CREDENTIALS_FILE', method='POST', mount_point='gcp')[source]

Generate Secret (IAM Service Account Creds): Service Account Key

If using GET (β€˜read’), the optional parameters will be set to their defaults. Use POST if you want to specify different values for these params.

Parameters:
  • roleset (str | unicode) – Name of an roleset with secret type service_account_key to generate key under.

  • key_algorithm (str | unicode) – Key algorithm used to generate key. Defaults to 2k RSA key You probably should not choose other values (i.e. 1k),

  • key_type (str | unicode) – Private key type to generate. Defaults to JSON credentials file.

  • method (str | unicode) – Supported methods: POST: /{mount_point}/key/{roleset}. Produces: 200 application/json GET: /{mount_point}/key/{roleset}. Produces: 200 application/json

  • mount_point (str | unicode) – The β€œpath” the method/backend was mounted on.

Returns:

The JSON response of the request.

Return type:

dict

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

key_response = client.secrets.gcp.generate_service_account_key(roleset='hvac-doctest')

Create Or Update Static Account

Gcp.create_or_update_static_account(name, service_account_email, bindings=None, secret_type=None, token_scopes=None, mount_point='gcp')[source]

Create a static account or update an existing static account.

See static account docs for the GCP secrets backend to learn more about what happens when you create or update a static account.

Supported methods:

POST: /{mount_point}/static-account/{name}. Produces: 204 (empty body)

Parameters:
  • name (str | unicode) – Name of the static account. Cannot be updated.

  • service_account_email (str | unicode) – Email of the GCP service account to manage. Cannot be updated.

  • bindings (str | unicode) – Bindings configuration string (expects HCL or JSON format in raw or base64-encoded string)

  • secret_type (str | unicode) – Type of secret generated for this static account. Accepted values: access_token, service_account_key. Cannot be updated.

  • token_scopes (list[str]) – List of OAuth scopes to assign to access_token secrets generated under this static account (access_token static accounts only)

  • mount_point (str | unicode) – The β€œpath” the method/backend was mounted on.

Returns:

The response of the request.

Return type:

requests.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

create_response = client.secrets.gcp.create_or_update_static_account(
  name="hvac-doctest",
  service_account_email="hvac-doctest@some-gcp-project-id.iam.gserviceaccount.com",
  secret_type="access_token",
  token_scopes=["https://www.googleapis.com/auth/cloud-platform"],
)

Rotate Static Account Key

Gcp.rotate_static_account_key(name, mount_point='gcp')[source]

Rotate the service account key this static account uses to generate access tokens.

This does not recreate the service account.

Supported methods:

POST: /{mount_point}/static-account/{name}/rotate-key. Produces: 204 (empty body)

Parameters:
  • name (str | unicode) – Name of the static account.

  • mount_point (str | unicode) – The β€œpath” the method/backend was mounted on.

Returns:

The response of the request.

Return type:

requests.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

rotate_response = client.secrets.gcp.rotate_static_account_key(name="hvac-doctest")

Read Static Account

Gcp.read_static_account(name, mount_point='gcp')[source]

Read a static account.

Supported methods:

GET: /{mount_point}/static-account/{name}. Produces: 200 application/json

Parameters:
  • name (str | unicode) – Name of the static account.

  • mount_point (str | unicode) – The β€œpath” the method/backend was mounted on.

Returns:

The JSON response of the request.

Return type:

dict

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

read_response = client.secrets.gcp.read_static_account(name="hvac-doctest")

List Static Accounts

Gcp.list_static_accounts(mount_point='gcp')[source]

List configured static accounts.

Supported methods:

LIST: /{mount_point}/static-accounts. Produces: 200 application/json

Parameters:

mount_point (str | unicode) – The β€œpath” the method/backend was mounted on.

Returns:

The JSON response of the request.

Return type:

dict

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

list_response = client.secrets.gcp.list_static_accounts()

Delete Static Account

Gcp.delete_static_account(name, mount_point='gcp')[source]

Delete an existing static account by the given name.

Supported methods:

DELETE: /{mount_point}/static-account/{name} Produces: 204 (empty body)

Parameters:
  • name (str | unicode) – Name of the static account.

  • mount_point (str | unicode) – The β€œpath” the method/backend was mounted on.

Returns:

The response of the request.

Return type:

requests.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

delete_response = client.secrets.gcp.delete_static_account(name="hvac-doctest")

Generate Static Account OAuth2 Access Token

Gcp.generate_static_account_oauth2_access_token(name, mount_point='gcp')[source]

Generate an OAuth2 token with the scopes defined on the static account.

This OAuth access token can be used in GCP API calls, e.g. curl -H β€œAuthorization: Bearer $TOKEN” …

Supported methods:

GET: /{mount_point}/static-account/{name}/token. Produces: 200 application/json

Parameters:
  • name (str | unicode) – Name of a static account with secret type access_token to generate access_token under.

  • mount_point (str | unicode) – The β€œpath” the method/backend was mounted on.

Returns:

The JSON response of the request.

Return type:

dict

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

token_response = client.secrets.gcp.generate_static_account_oauth2_access_token(
  name="hvac-doctest",
)

Generate Static Account Service Account Key

Gcp.generate_static_account_service_account_key(name, key_algorithm='KEY_ALG_RSA_2048', key_type='TYPE_GOOGLE_CREDENTIALS_FILE', method='POST', mount_point='gcp')[source]

Generate Secret (IAM Service Account Creds): Service Account Key

If using GET (β€˜read’), the optional parameters will be set to their defaults. Use POST if you want to specify different values for these params.

Parameters:
  • name (str | unicode) – Name of a static account with secret type service_account_key to generate key under.

  • key_algorithm (str | unicode) – Key algorithm used to generate key. Defaults to 2k RSA key You probably should not choose other values (i.e. 1k),

  • key_type (str | unicode) – Private key type to generate. Defaults to JSON credentials file.

  • method (str | unicode) – Supported methods: POST: /v1/{mount_point}/static-account/{name}/key. Produces: 200 application/json GET: /v1/{mount_point}/static-account/{name}/key. Produces: 200 application/json

  • mount_point (str | unicode) – The β€œpath” the method/backend was mounted on.

Returns:

The JSON response of the request.

Return type:

dict

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

key_response = client.secrets.gcp.generate_static_account_service_account_key(
  name="hvac-doctest",
)

Create Or Update Impersonated Account

Gcp.create_or_update_impersonated_account(name, service_account_email, token_scopes=None, ttl=None, mount_point='gcp')[source]

Create an impersonated account or update an existing impersonated account.

See impersonated account docs for the GCP secrets backend to learn more about what happens when you create or update an impersonated account.

Supported methods:

POST: /{mount_point}/impersonated-account/{name}. Produces: 204 (empty body)

Parameters:
  • name (str | unicode) – Name of the impersonated account. Cannot be updated.

  • service_account_email (str | unicode) – Email of the GCP service account to manage. Cannot be updated.

  • token_scopes (list[str]) – List of OAuth scopes to assign to access tokens generated under this impersonated account

  • ttl (str | unicode) – Lifetime of the token generated. Defaults to 1 hour and is limited to a maximum of 12 hours. Uses duration format strings.

  • mount_point (str | unicode) – The β€œpath” the method/backend was mounted on.

Returns:

The response of the request.

Return type:

requests.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

create_response = client.secrets.gcp.create_or_update_impersonated_account(
  name="hvac-doctest",
  service_account_email="hvac-doctest@some-gcp-project-id.iam.gserviceaccount.com",
  token_scopes=["https://www.googleapis.com/auth/cloud-platform"],
  ttl='4h'
)

Read Impersonated Account

Gcp.read_impersonated_account(name, mount_point='gcp')[source]

Read an impersonated account.

Supported methods:

GET: /{mount_point}/impersonated-account/{name}. Produces: 200 application/json

Parameters:
  • name (str | unicode) – Name of the impersonated account.

  • mount_point (str | unicode) – The β€œpath” the method/backend was mounted on.

Returns:

The JSON response of the request.

Return type:

dict

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

read_response = client.secrets.gcp.read_impersonated_account(name="hvac-doctest")

List Impersonated Accounts

Gcp.list_impersonated_accounts(mount_point='gcp')[source]

List configured impersonated accounts.

Supported methods:

LIST: /{mount_point}/impersonated-accounts. Produces: 200 application/json

Parameters:

mount_point (str | unicode) – The β€œpath” the method/backend was mounted on.

Returns:

The JSON response of the request.

Return type:

dict

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

list_response = client.secrets.gcp.list_impersonated_accounts()

Delete Impersonated Account

Gcp.delete_impersonated_account(name, mount_point='gcp')[source]

Delete an existing impersonated account by the given name.

Supported methods:

DELETE: /{mount_point}/impersonated-account/{name} Produces: 204 (empty body)

Parameters:
  • name (str | unicode) – Name of the impersonated account.

  • mount_point (str | unicode) – The β€œpath” the method/backend was mounted on.

Returns:

The response of the request.

Return type:

requests.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

delete_response = client.secrets.gcp.delete_impersonated_account(name="hvac-doctest")

Generate Impersonated Account OAuth2 Access Token

Gcp.generate_impersonated_account_oauth2_access_token(name, mount_point='gcp')[source]

Generate an OAuth2 token with the scopes defined on the impersonated account.

This OAuth access token can be used in GCP API calls, e.g. curl -H β€œAuthorization: Bearer $TOKEN” …

Supported methods:

GET: /{mount_point}/impersonated-account/{name}/token. Produces: 200 application/json

Parameters:
  • name (str | unicode) – Name of the impersonated account to generate an access token under.

  • mount_point (str | unicode) – The β€œpath” the method/backend was mounted on.

Returns:

The JSON response of the request.

Return type:

dict

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

token_response = client.secrets.gcp.generate_impersonated_account_oauth2_access_token(
  name="hvac-doctest",
)