Auth

Examples

methods = client.sys.list_auth_methods()

client.sys.enable_auth_method('userpass', path='customuserpass')
client.sys.disable_auth_method('github')

List Auth Methods

Auth.list_auth_methods()[source]

List all enabled auth methods.

Supported methods:

GET: /sys/auth. Produces: 200 application/json

Returns:

The JSON response of the request.

Return type:

dict

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

auth_methods = client.sys.list_auth_methods()
print('The following auth methods are enabled: {auth_methods_list}'.format(
    auth_methods_list=', '.join(auth_methods['data'].keys()),
))

Example output:

The following auth methods are enabled: token/

Enable Auth Method

Auth.enable_auth_method(method_type, description=None, config=None, plugin_name=None, local=False, path=None, **kwargs)[source]

Enable a new auth method.

After enabling, the auth method can be accessed and configured via the auth path specified as part of the URL. This auth path will be nested under the auth prefix.

Supported methods:

POST: /sys/auth/{path}. Produces: 204 (empty body)

Parameters:
  • method_type (str | unicode) – The name of the authentication method type, such as β€œgithub” or β€œtoken”.

  • description (str | unicode) – A human-friendly description of the auth method.

  • config (dict) –

    Configuration options for this auth method. These are the possible values:

    • default_lease_ttl: The default lease duration, specified as a string duration like β€œ5s” or β€œ30m”.

    • max_lease_ttl: The maximum lease duration, specified as a string duration like β€œ5s” or β€œ30m”.

    • audit_non_hmac_request_keys: Comma-separated list of keys that will not be HMAC’d by audit devices in the request data object.

    • audit_non_hmac_response_keys: Comma-separated list of keys that will not be HMAC’d by audit devices in the response data object.

    • listing_visibility: Specifies whether to show this mount in the UI-specific listing endpoint.

    • passthrough_request_headers: Comma-separated list of headers to whitelist and pass from the request to the backend.

  • plugin_name (str | unicode) – The name of the auth plugin to use based from the name in the plugin catalog. Applies only to plugin methods.

  • local (bool) – <Vault enterprise only> Specifies if the auth method is a local only. Local auth methods are not replicated nor (if a secondary) removed by replication.

  • path (str | unicode) – The path to mount the method on. If not provided, defaults to the value of the β€œmethod_type” argument.

  • kwargs (dict) – All dicts are accepted and passed to vault. See your specific secret engine for details on which extra key-word arguments you might want to pass.

Returns:

The response of the request.

Return type:

requests.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

client.sys.enable_auth_method(
    method_type='github',
    path='github-hvac',
)

Disable Auth Method

Auth.disable_auth_method(path)[source]

Disable the auth method at the given auth path.

Supported methods:

DELETE: /sys/auth/{path}. Produces: 204 (empty body)

Parameters:

path (str | unicode) – The path the method was mounted on. If not provided, defaults to the value of the β€œmethod_type” argument.

Returns:

The response of the request.

Return type:

requests.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

client.sys.disable_auth_method(
    path='github-hvac',
)

Read Auth Method Tuning

Auth.read_auth_method_tuning(path)[source]

Read the given auth path’s configuration.

This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via sys/mounts/auth/[auth-path]/tune.

Supported methods:

GET: /sys/auth/{path}/tune. Produces: 200 application/json

Parameters:

path (str | unicode) – The path the method was mounted on. If not provided, defaults to the value of the β€œmethod_type” argument.

Returns:

The JSON response of the request.

Return type:

dict

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')
response = client.sys.read_auth_method_tuning(
    path='github-hvac',
)

print('The max lease TTL for the auth method under path "github-hvac" is: {max_ttl}'.format(
    max_ttl=response['data']['max_lease_ttl'],
))

Example output:

The max lease TTL for the auth method under path "github-hvac" is: 2764800

Tune Auth Method

Auth.tune_auth_method(path, default_lease_ttl=None, max_lease_ttl=None, description=None, audit_non_hmac_request_keys=None, audit_non_hmac_response_keys=None, listing_visibility=None, passthrough_request_headers=None, **kwargs)[source]

Tune configuration parameters for a given auth path.

This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via sys/mounts/auth/[auth-path]/tune.

Supported methods:

POST: /sys/auth/{path}/tune. Produces: 204 (empty body)

Parameters:
  • path (str | unicode) – The path the method was mounted on. If not provided, defaults to the value of the β€œmethod_type” argument.

  • default_lease_ttl (int) – Specifies the default time-to-live. If set on a specific auth path, this overrides the global default.

  • max_lease_ttl (int) – The maximum time-to-live. If set on a specific auth path, this overrides the global default.

  • description (str | unicode) – Specifies the description of the mount. This overrides the current stored value, if any.

  • audit_non_hmac_request_keys (array) – Specifies the list of keys that will not be HMAC’d by audit devices in the request data object.

  • audit_non_hmac_response_keys (list) – Specifies the list of keys that will not be HMAC’d by audit devices in the response data object.

  • listing_visibility (list) – Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are β€œunauth” or β€œβ€.

  • passthrough_request_headers (list) – List of headers to whitelist and pass from the request to the backend.

  • kwargs (dict) – All dicts are accepted and passed to vault. See your specific secret engine for details on which extra key-word arguments you might want to pass.

Returns:

The response of the request.

Return type:

requests.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

client.sys.tune_auth_method(
    path='github-hvac',
    description='The Github auth method for hvac users',
)