Wrapping

Unwrap

Wrapping.unwrap(token=None)[source]

Return the original response inside the given wrapping token.

Unlike simply reading cubbyhole/response (which is deprecated), this endpoint provides additional validation checks on the token, returns the original value on the wire rather than a JSON string representation of it, and ensures that the response is properly audit-logged.

Supported methods:

POST: /sys/wrapping/unwrap. Produces: 200 application/json

Parameters:

token (str | unicode) – Specifies the wrapping token ID. This is required if the client token is not the wrapping token. Do not use the wrapping token in both locations.

Returns:

The JSON response of the request.

Return type:

dict

Examples

import hvac

client = hvac.Client(url='https://127.0.0.1:8200')
client.write(
    path="auth/approle-test/role/testrole",
)
result = client.write(
    path='auth/approle-test/role/testrole/secret-id',
    wrap_ttl="10s",
)

unwrap_response = client.sys.unwrap(
    token=result['wrap_info']['token'],
)
print('Unwrapped approle role token secret id accessor: "%s"' % unwrap_response['data']['secret_id_accessor'])

Example output:

Unwrapped approle role token secret id accessor: "..."
import hvac

client = hvac.Client(url='https://127.0.0.1:8200')
client.write(
    path="auth/approle-test/role/testrole",
)
result = client.write(
    path='auth/approle-test/role/testrole/secret-id',
    wrap_ttl="10s",
)
result_token = result['wrap_info']['token']

unwrapping_client = hvac.Client(url='https://127.0.0.1:8200', token=result_token)

# Do not pass the token to unwrap when authenticating with the wrapping token
unwrap_response = unwrapping_client.sys.unwrap()

print('Unwrapped approle role token secret id accessor: "%s"' % unwrap_response['data']['secret_id_accessor'])

Example output:

Unwrapped approle role token secret id accessor: "..."