hvac.v1

Classes

Client([url, token, cert, verify, timeout, …])

The hvac Client class for HashiCorp’s Vault.

class hvac.v1.Client(url=None, token=None, cert=None, verify=True, timeout=30, proxies=None, allow_redirects=True, session=None, adapter=<class 'hvac.adapters.JSONAdapter'>, namespace=None, **kwargs)[source]

Bases: object

The hvac Client class for HashiCorp’s Vault.

Methods

__init__([url, token, cert, verify, …])

Creates a new hvac client instance.

audit_hash(name, input)

Call to deprecated function ‘audit_hash’.

auth_app_id(app_id, user_id[, mount_point, …])

POST /auth/<mount point>/login

auth_approle(role_id[, secret_id, …])

Call to deprecated function ‘auth_approle’.

auth_aws_iam(access_key, secret_key[, …])

Call to deprecated function ‘auth_aws_iam’.

auth_cubbyhole(token)

Perform a login request with a wrapped token.

auth_ec2(pkcs7[, nonce, role, use_token, …])

Call to deprecated function ‘auth_ec2’.

auth_gcp(*args, **kwargs)

Call to deprecated function ‘auth_gcp’.

auth_github(*args, **kwargs)

Call to deprecated function ‘auth_github’.

auth_kubernetes(role, jwt[, use_token, …])

POST /auth/<mount_point>/login

auth_ldap(*args, **kwargs)

Call to deprecated function ‘auth_ldap’.

auth_tls([mount_point, use_token])

POST /auth/<mount point>/login

auth_userpass(username, password[, …])

POST /auth/<mount point>/login/<username>

cancel_generate_root()

Call to deprecated function ‘cancel_generate_root’.

cancel_rekey()

Call to deprecated function ‘cancel_rekey’.

close()

Call to deprecated function ‘close’.

create_app_id(app_id, policies[, …])

POST /auth/<mount point>/map/app-id/<app_id>

create_ec2_role(role[, bound_ami_id, …])

Call to deprecated function ‘create_ec2_role’.

create_ec2_role_tag(role[, policies, …])

Call to deprecated function ‘create_ec2_role_tag’.

create_kubernetes_configuration(kubernetes_host)

POST /auth/<mount_point>/config

create_kubernetes_role(name, …[, ttl, …])

POST /auth/<mount_point>/role/:name

create_role(role_name[, mount_point])

Call to deprecated function ‘create_role’.

create_role_custom_secret_id(role_name, …)

Call to deprecated function ‘create_role_custom_secret_id’.

create_role_secret_id(role_name[, meta, …])

Call to deprecated function ‘create_role_secret_id’.

create_token([role, token_id, policies, …])

POST /auth/token/create

create_token_role(role[, allowed_policies, …])

POST /auth/token/roles/<role>

create_user_id(user_id, app_id[, …])

POST /auth/<mount point>/map/user-id/<user_id>

create_userpass(username, password, policies)

POST /auth/<mount point>/users/<username>

create_vault_ec2_certificate_configuration(…)

Call to deprecated function ‘create_vault_ec2_certificate_configuration’.

create_vault_ec2_client_configuration(…[, …])

Call to deprecated function ‘create_vault_ec2_client_configuration’.

delete(path)

DELETE /<path>

delete_app_id(app_id[, mount_point])

DELETE /auth/<mount_point>/map/app-id/<app_id>

delete_ec2_role(role[, mount_point])

Call to deprecated function ‘delete_ec2_role’.

delete_kubernetes_role(role[, mount_point])

DELETE /auth/<mount_point>/role/:role

delete_policy(name)

Call to deprecated function ‘delete_policy’.

delete_role(role_name[, mount_point])

Call to deprecated function ‘delete_role’.

delete_role_secret_id(role_name, secret_id)

Call to deprecated function ‘delete_role_secret_id’.

delete_role_secret_id_accessor(role_name, …)

Call to deprecated function ‘delete_role_secret_id_accessor’.

delete_token_role(role)

Deletes the named token role.

delete_user_id(user_id[, mount_point])

DELETE /auth/<mount_point>/map/user-id/<user_id>

delete_userpass(username[, mount_point])

DELETE /auth/<mount point>/users/<username>

delete_vault_ec2_client_configuration([…])

Call to deprecated function ‘delete_vault_ec2_client_configuration’.

disable_audit_backend(name)

Call to deprecated function ‘disable_audit_backend’.

disable_auth_backend(mount_point)

Call to deprecated function ‘disable_auth_backend’.

disable_secret_backend(mount_point)

Call to deprecated function ‘disable_secret_backend’.

enable_audit_backend(backend_type[, …])

Call to deprecated function ‘enable_audit_backend’.

enable_auth_backend(backend_type[, …])

Call to deprecated function ‘enable_auth_backend’.

enable_secret_backend(backend_type[, …])

Call to deprecated function ‘enable_secret_backend’.

generate_root(key, nonce)

Call to deprecated function ‘generate_root’.

get_app_id(app_id[, mount_point, wrap_ttl])

GET /auth/<mount_point>/map/app-id/<app_id>

get_auth_backend_tuning(backend_type[, …])

Call to deprecated function ‘get_auth_backend_tuning’.

get_backed_up_keys()

Call to deprecated function ‘get_backed_up_keys’.

get_ec2_role(role[, mount_point])

Call to deprecated function ‘get_ec2_role’.

get_kubernetes_configuration([mount_point])

GET /auth/<mount_point>/config

get_kubernetes_role(name[, mount_point])

GET /auth/<mount_point>/role/:name

get_policy(name[, parse])

Retrieve the policy body for the named policy.

get_role(role_name[, mount_point])

Call to deprecated function ‘get_role’.

get_role_id(role_name[, mount_point])

Call to deprecated function ‘get_role_id’.

get_role_secret_id(role_name, secret_id[, …])

Call to deprecated function ‘get_role_secret_id’.

get_role_secret_id_accessor(role_name, …)

Call to deprecated function ‘get_role_secret_id_accessor’.

get_secret_backend_tuning(backend_type[, …])

Call to deprecated function ‘get_secret_backend_tuning’.

get_user_id(user_id[, mount_point, wrap_ttl])

GET /auth/<mount_point>/map/user-id/<user_id>

get_vault_ec2_certificate_configuration(…)

Call to deprecated function ‘get_vault_ec2_certificate_configuration’.

get_vault_ec2_client_configuration([mount_point])

Call to deprecated function ‘get_vault_ec2_client_configuration’.

initialize([secret_shares, …])

Call to deprecated function ‘initialize’.

is_authenticated()

Helper method which returns the authentication status of the client

is_initialized()

Call to deprecated function ‘is_initialized’.

is_sealed()

Call to deprecated function ‘is_sealed’.

list(path)

GET /<path>?list=true

list_audit_backends()

Call to deprecated function ‘list_audit_backends’.

list_auth_backends()

Call to deprecated function ‘list_auth_backends’.

list_ec2_roles([mount_point])

Call to deprecated function ‘list_ec2_roles’.

list_kubernetes_roles([mount_point])

GET /auth/<mount_point>/role?list=true

list_policies()

Call to deprecated function ‘list_policies’.

list_role_secrets(role_name[, mount_point])

Call to deprecated function ‘list_role_secrets’.

list_roles([mount_point])

Call to deprecated function ‘list_roles’.

list_secret_backends()

Call to deprecated function ‘list_secret_backends’.

list_token_roles()

GET /auth/token/roles?list=true

list_userpass([mount_point])

GET /auth/<mount point>/users?list=true

list_vault_ec2_certificate_configurations([…])

Call to deprecated function ‘list_vault_ec2_certificate_configurations’.

login(url[, use_token])

Perform a login request.

logout([revoke_token])

Clears the token used for authentication, optionally revoking it before doing so.

lookup_token([token, accessor, wrap_ttl])

GET /auth/token/lookup/<token>

read(path[, wrap_ttl])

GET /<path>

read_lease(lease_id)

Call to deprecated function ‘read_lease’.

read_userpass(username[, mount_point])

GET /auth/<mount point>/users/<username>

rekey(key[, nonce])

Call to deprecated function ‘rekey’.

rekey_multi(keys[, nonce])

Call to deprecated function ‘rekey_multi’.

remount_secret_backend(from_mount_point, …)

Call to deprecated function ‘remount_secret_backend’.

renew_secret(lease_id[, increment])

Call to deprecated function ‘renew_secret’.

renew_self_token([increment, wrap_ttl])

POST /auth/token/renew-self

renew_token([token, increment, wrap_ttl])

POST /auth/token/renew

revoke_secret(lease_id)

Call to deprecated function ‘revoke_secret’.

revoke_secret_prefix(path_prefix)

Call to deprecated function ‘revoke_secret_prefix’.

revoke_self_token()

PUT /auth/token/revoke-self

revoke_token(token[, orphan, accessor])

POST /auth/token/revoke

revoke_token_prefix(prefix)

POST /auth/token/revoke-prefix/<prefix>

rotate()

Call to deprecated function ‘rotate’.

seal()

Call to deprecated function ‘seal’.

set_policy(name, rules)

Call to deprecated function ‘set_policy’.

set_role_id(role_name, role_id[, mount_point])

Call to deprecated function ‘set_role_id’.

start_generate_root(key[, otp])

Call to deprecated function ‘start_generate_root’.

start_rekey([secret_shares, …])

Call to deprecated function ‘start_rekey’.

token_role(role)

Returns the named token role.

transit_create_key(name[, …])

Call to deprecated function ‘transit_create_key’.

transit_decrypt_data(name, ciphertext[, …])

Call to deprecated function ‘transit_decrypt_data’.

transit_delete_key(name[, mount_point])

Call to deprecated function ‘transit_delete_key’.

transit_encrypt_data(name, plaintext[, …])

Call to deprecated function ‘transit_encrypt_data’.

transit_export_key(name, key_type[, …])

Call to deprecated function ‘transit_export_key’.

transit_generate_data_key(name, key_type[, …])

Call to deprecated function ‘transit_generate_data_key’.

transit_generate_hmac(name, hmac_input[, …])

Call to deprecated function ‘transit_generate_hmac’.

transit_generate_rand_bytes([data_bytes, …])

Call to deprecated function ‘transit_generate_rand_bytes’.

transit_hash_data(hash_input[, algorithm, …])

Call to deprecated function ‘transit_hash_data’.

transit_list_keys([mount_point])

Call to deprecated function ‘transit_list_keys’.

transit_read_key(name[, mount_point])

Call to deprecated function ‘transit_read_key’.

transit_rewrap_data(name, ciphertext[, …])

Call to deprecated function ‘transit_rewrap_data’.

transit_rotate_key(name[, mount_point])

Call to deprecated function ‘transit_rotate_key’.

transit_sign_data(name, input_data[, …])

Call to deprecated function ‘transit_sign_data’.

transit_update_key(name[, …])

Call to deprecated function ‘transit_update_key’.

transit_verify_signed_data(name, input_data)

Call to deprecated function ‘transit_verify_signed_data’.

tune_auth_backend(backend_type[, …])

Call to deprecated function ‘tune_auth_backend’.

tune_secret_backend(backend_type[, …])

Call to deprecated function ‘tune_secret_backend’.

unseal(key)

Call to deprecated function ‘unseal’.

unseal_multi(keys)

Call to deprecated function ‘unseal_multi’.

unseal_reset()

Call to deprecated function ‘unseal_reset’.

unwrap([token])

Call to deprecated function ‘unwrap’.

update_userpass_password(username, password)

POST /auth/<mount point>/users/<username>/password

update_userpass_policies(username, policies)

POST /auth/<mount point>/users/<username>/policies

urljoin(*args, **kwargs)

Call to deprecated function ‘urljoin’.

write(path[, wrap_ttl])

POST /<path>

Attributes

adapter

allow_redirects

auth

Accessor for the Client instance’s auth methods.

generate_root_status

ha_status

Read the high availability status and current leader instance of Vault.

key_status

GET /sys/key-status

rekey_status

seal_status

Read the seal status of the Vault.

secrets

Accessor for the Client instance’s secrets engines.

session

sys

Accessor for the Client instance’s system backend methods.

token

url

__init__(url=None, token=None, cert=None, verify=True, timeout=30, proxies=None, allow_redirects=True, session=None, adapter=<class 'hvac.adapters.JSONAdapter'>, namespace=None, **kwargs)[source]

Creates a new hvac client instance.

Parameters
  • url (str) – Base URL for the Vault instance being addressed.

  • token (str) – Authentication token to include in requests sent to Vault.

  • cert (tuple) – Certificates for use in requests sent to the Vault instance. This should be a tuple with the certificate and then key.

  • verify (Union[bool,str]) – Either a boolean to indicate whether TLS verification should be performed when sending requests to Vault, or a string pointing at the CA bundle to use for verification. See http://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification.

  • timeout (int) – The timeout value for requests sent to Vault.

  • proxies (dict) – Proxies to use when performing requests. See: http://docs.python-requests.org/en/master/user/advanced/#proxies

  • allow_redirects (bool) – Whether to follow redirects when sending requests to Vault.

  • session (request.Session) – Optional session object to use when performing request.

  • adapter (hvac.adapters.Adapter) – Optional class to be used for performing requests. If none is provided, defaults to hvac.adapters.JSONRequest

  • kwargs (dict) – Additional parameters to pass to the adapter constructor.

  • namespace (str) – Optional Vault Namespace.

property adapter
property allow_redirects
audit_hash(name, input)[source]
Call to deprecated function ‘audit_hash’. This method will be removed in version ‘0.9.0’ Please use the ‘calculate_hash’ method on the ‘hvac.api.system_backend.audit’ class moving forward.

Docstring content from this method’s replacement copied below: Hash the given input data with the specified audit device’s hash function and salt.

This endpoint can be used to discover whether a given plaintext string (the input parameter) appears in the audit log in obfuscated form.

Supported methods:

POST: /sys/audit-hash/{path}. Produces: 204 (empty body)

Parameters
  • path (str | unicode) – The path of the audit device to generate hashes for. This is part of the request URL.

  • input_to_hash (str | unicode) – The input string to hash.

Returns

The JSON response of the request.

Return type

requests.Response

property auth

Accessor for the Client instance’s auth methods. Provided via the hvac.api.AuthMethods class. :return: This Client instance’s associated Auth instance. :rtype: hvac.api.AuthMethods

auth_app_id(app_id, user_id, mount_point='app-id', use_token=True)[source]

POST /auth/<mount point>/login

Parameters
  • app_id

  • user_id

  • mount_point

  • use_token

Returns

Return type

auth_approle(role_id, secret_id=None, mount_point='approle', use_token=True)[source]
Call to deprecated function ‘auth_approle’. This method will be removed in version ‘0.12.0’ Please use the ‘login’ method on the ‘hvac.api.auth_methods.approle’ class moving forward.

Docstring content from this method’s replacement copied below:

Login with APPROLE credentials.

Supported methods:

POST: /auth/{mount_point}/login. Produces: 200 application/json

Parameters
  • role_id (str | unicode) – Role ID of the role.

  • secret_id (str | unicode) – Secret ID of the role.

  • use_token (bool) – if True, uses the token in the response received from the auth request to set the “token” attribute on the the hvac.adapters.Adapter() instance under the _adapater Client attribute.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns

The JSON response of the read_role_id request.

Return type

dict

auth_aws_iam(access_key, secret_key, session_token=None, header_value=None, mount_point='aws', role='', use_token=True, region='us-east-1')[source]
Call to deprecated function ‘auth_aws_iam’. This method will be removed in version ‘0.11.2’ Please use the ‘iam_login’ method on the ‘hvac.api.auth_methods.aws’ class moving forward.

Docstring content from this method’s replacement copied below: Fetch a token

This endpoint verifies the pkcs7 signature of the instance identity document or the signature of the signed GetCallerIdentity request. With the ec2 auth method, or when inferring an EC2 instance, verifies that the instance is actually in a running state. Cross checks the constraints defined on the role with which the login is being performed. With the ec2 auth method, as an alternative to pkcs7 signature, the identity document along with its RSA digest can be supplied to this endpoint

Parameters
  • role (str) – Name of the role against which the login is being attempted.

  • use_token (bool) – if True, uses the token in the response received from the auth request to set the “token” attribute on the the hvac.adapters.Adapter() instance under the _adapater Client attribute.

  • mount_point (str) – The path the AWS auth method was mounted on.

Returns

The response of the request.

Return type

requests.Response

auth_cubbyhole(token)[source]

Perform a login request with a wrapped token.

Stores the unwrapped token in the resulting Vault response for use by the hvac.adapters.Adapter()

instance under the _adapater Client attribute.

Parameters

token (str | unicode) – Wrapped token

Returns

The (JSON decoded) response of the auth request

Return type

dict

auth_ec2(pkcs7, nonce=None, role=None, use_token=True, mount_point='aws-ec2')[source]
Call to deprecated function ‘auth_ec2’. This method will be removed in version ‘0.11.2’ Please use the ‘ec2_login’ method on the ‘hvac.api.auth_methods.aws’ class moving forward.

Docstring content from this method’s replacement copied below: Retrieve a Vault token using an AWS authentication method mount’s EC2 role.

Parameters
  • pkcs7 (str) – PKCS7 signature of the identity document with all newline characters removed.

  • nonce (str) – The nonce to be used for subsequent login requests.

  • role (str) – Name of the role against which the login is being attempted.

  • use_token (bool) – if True, uses the token in the response received from the auth request to set the “token” attribute on the the hvac.adapters.Adapter() instance under the _adapater Client attribute.

  • mount_point (str) – The path the AWS auth method was mounted on.

Returns

The response of the request.

Return type

requests.Response

auth_gcp(*args, **kwargs)[source]
Call to deprecated function ‘auth_gcp’. This method will be removed in version ‘0.9.0’ Please use the ‘login’ method on the ‘hvac.api.auth_methods.gcp’ class moving forward.

Docstring content from this method’s replacement copied below: Login to retrieve a Vault token via the GCP auth method.

This endpoint takes a signed JSON Web Token (JWT) and a role name for some entity. It verifies the JWT

signature with Google Cloud to authenticate that entity and then authorizes the entity for the given role.

Supported methods:

POST: /auth/{mount_point}/login. Produces: 200 application/json

Parameters
  • role (str | unicode) – The name of the role against which the login is being attempted.

  • jwt (str | unicode) – A signed JSON web token

  • use_token (bool) – if True, uses the token in the response received from the auth request to set the “token” attribute on the the hvac.adapters.Adapter() instance under the _adapater Client attribute.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns

The JSON response of the request.

Return type

dict

auth_github(*args, **kwargs)[source]
Call to deprecated function ‘auth_github’. This method will be removed in version ‘0.8.0’ Please use the ‘login’ method on the ‘hvac.api.auth_methods.github’ class moving forward.

Docstring content from this method’s replacement copied below: Login using GitHub access token.

Supported methods:

POST: /auth/{mount_point}/login. Produces: 200 application/json

Parameters
  • token (str | unicode) – GitHub personal API token.

  • use_token (bool) – if True, uses the token in the response received from the auth request to set the “token” attribute on the the hvac.adapters.Adapter() instance under the _adapater Client attribute.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns

The JSON response of the login request.

Return type

dict

auth_kubernetes(role, jwt, use_token=True, mount_point='kubernetes')[source]

POST /auth/<mount_point>/login

Parameters
  • role (str.) – Name of the role against which the login is being attempted.

  • jwt (str.) – Signed JSON Web Token (JWT) for authenticating a service account.

  • use_token (bool.) – if True, uses the token in the response received from the auth request to set the “token” attribute on the current Client class instance.

  • mount_point (str.) – The “path” the k8s auth backend was mounted on. Vault currently defaults to “kubernetes”.

Returns

Parsed JSON response from the config POST request.

Return type

dict.

auth_ldap(*args, **kwargs)[source]
Call to deprecated function ‘auth_ldap’. This method will be removed in version ‘0.8.0’ Please use the ‘login’ method on the ‘hvac.api.auth_methods.ldap’ class moving forward.

Docstring content from this method’s replacement copied below:

Log in with LDAP credentials.

Supported methods:

POST: /auth/{mount_point}/login/{username}. Produces: 200 application/json

Parameters
  • username (str | unicode) – The username of the LDAP user

  • password (str | unicode) – The password for the LDAP user

  • use_token (bool) – if True, uses the token in the response received from the auth request to set the “token” attribute on the the hvac.adapters.Adapter() instance under the _adapater Client attribute.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns

The response of the login_with_user request.

Return type

requests.Response

auth_tls(mount_point='cert', use_token=True)[source]

POST /auth/<mount point>/login

Parameters
  • mount_point

  • use_token

Returns

Return type

auth_userpass(username, password, mount_point='userpass', use_token=True, **kwargs)[source]

POST /auth/<mount point>/login/<username>

Parameters
  • username

  • password

  • mount_point

  • use_token

  • kwargs

Returns

Return type

cancel_generate_root()[source]
Call to deprecated function ‘cancel_generate_root’. This method will be removed in version ‘0.9.0’ Please use the ‘cancel_root_generation’ method on the ‘hvac.api.system_backend.key’ class moving forward.

Docstring content from this method’s replacement copied below: Cancel any in-progress root generation attempt.

This clears any progress made. This must be called to change the OTP or PGP key being used.

Supported methods:

DELETE: /sys/generate-root/attempt. Produces: 204 (empty body)

Returns

The response of the request.

Return type

request.Response

cancel_rekey()[source]
Call to deprecated function ‘cancel_rekey’. This method will be removed in version ‘0.9.0’ Please use the ‘cancel_rekey’ method on the ‘hvac.api.system_backend.key’ class moving forward.

Docstring content from this method’s replacement copied below: Cancel any in-progress rekey.

This clears the rekey settings as well as any progress made. This must be called to change the parameters of the rekey.

Note: Verification is still a part of a rekey. If rekeying is canceled during the verification flow, the current unseal keys remain valid.

Supported methods:

DELETE: /sys/rekey/init. Produces: 204 (empty body) DELETE: /sys/rekey-recovery-key/init. Produces: 204 (empty body)

Parameters

recovery_key (bool) – If true, send requests to “rekey-recovery-key” instead of “rekey” api path.

Returns

The response of the request.

Return type

requests.Response

close()[source]

Call to deprecated function ‘close’. This method will be removed in version ‘0.8.0’ Please use the ‘close’ method on the ‘hvac.adapters’ class moving forward. Docstring content from this method’s replacement copied below: Close the underlying Requests session.

create_app_id(app_id, policies, display_name=None, mount_point='app-id', **kwargs)[source]

POST /auth/<mount point>/map/app-id/<app_id>

Parameters
  • app_id

  • policies

  • display_name

  • mount_point

  • kwargs

Returns

Return type

create_ec2_role(role, bound_ami_id=None, bound_account_id=None, bound_iam_role_arn=None, bound_iam_instance_profile_arn=None, bound_ec2_instance_id=None, bound_region=None, bound_vpc_id=None, bound_subnet_id=None, role_tag=None, ttl=None, max_ttl=None, period=None, policies=None, allow_instance_migration=False, disallow_reauthentication=False, resolve_aws_unique_ids=None, mount_point='aws-ec2')[source]
Call to deprecated function ‘create_ec2_role’. This method will be removed in version ‘0.11.2’ Please use the ‘create_role’ method on the ‘hvac.api.auth_methods.aws’ class moving forward.

Docstring content from this method’s replacement copied below: Register a role in the method.

Parameters
  • role

  • auth_type

  • bound_ami_id

  • bound_account_id

  • bound_region

  • bound_vpc_id

  • bound_subnet_id

  • bound_iam_role_arn

  • bound_iam_instance_profile_arn

  • bound_ec2_instance_id

  • role_tag

  • bound_iam_principal_arn

  • inferred_entity_type

  • inferred_aws_region

  • resolve_aws_unique_ids

  • ttl

  • max_ttl

  • period

  • policies

  • allow_instance_migration

  • disallow_reauthentication

  • mount_point (str) – The path the AWS auth method was mounted on.

Returns

The response of the request.

Return type

requests.Response

create_ec2_role_tag(role, policies=None, max_ttl=None, instance_id=None, disallow_reauthentication=False, allow_instance_migration=False, mount_point='aws-ec2')[source]
Call to deprecated function ‘create_ec2_role_tag’. This method will be removed in version ‘0.11.2’ Please use the ‘create_role_tags’ method on the ‘hvac.api.auth_methods.aws’ class moving forward.

Docstring content from this method’s replacement copied below: Create a role tag on the role, which helps in restricting the capabilities that are set on the role.

Role tags are not tied to any specific ec2 instance unless specified explicitly using the instance_id parameter. By default, role tags are designed to be used across all instances that satisfies the constraints on the role. Regardless of which instances have role tags on them, capabilities defined in a role tag must be a strict subset of the given role’s capabilities. Note that, since adding and removing a tag is often a widely distributed privilege, care needs to be taken to ensure that the instances are attached with correct tags to not let them gain more privileges than what were intended. If a role tag is changed, the capabilities inherited by the instance will be those defined on the new role tag. Since those must be a subset of the role capabilities, the role should never provide more capabilities than any given instance can be allowed to gain in a worst-case scenario

Parameters
  • role (str) – Name of the role.

  • policies (list) – Policies to be associated with the tag. If set, must be a subset of the role’s policies. If set, but set to an empty value, only the ‘default’ policy will be given to issued tokens.

  • max_ttl (str) – The maximum allowed lifetime of tokens issued using this role.

  • instance_id (str) – Instance ID for which this tag is intended for. If set, the created tag can only be used by the instance with the given ID.

  • disallow_reauthentication (bool) – If set, only allows a single token to be granted per instance ID. This can be cleared with the auth/aws/identity-whitelist endpoint. Defaults to ‘false’. Mutually exclusive with allow_instance_migration.

  • allow_instance_migration (bool) – If set, allows migration of the underlying instance where the client resides. This keys off of pendingTime in the metadata document, so essentially, this disables the client nonce check whenever the instance is migrated to a new host and pendingTime is newer than the previously-remembered time. Use with caution. Defaults to ‘false’. Mutually exclusive with disallow_reauthentication.

  • mount_point (str) – The path the AWS auth method was mounted on.

Returns

The create role tag response.

Return type

dict

create_kubernetes_configuration(kubernetes_host, kubernetes_ca_cert=None, token_reviewer_jwt=None, pem_keys=None, mount_point='kubernetes')[source]

POST /auth/<mount_point>/config

Parameters
  • kubernetes_host (str.) – A host:port pair, or a URL to the base of the Kubernetes API server.

  • kubernetes_ca_cert (str.) – PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.

  • token_reviewer_jwt (str.) – A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.

  • pem_keys (list.) – Optional list of PEM-formated public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.

  • mount_point (str.) – The “path” the k8s auth backend was mounted on. Vault currently defaults to “kubernetes”.

Returns

Will be an empty body with a 204 status code upon success

Return type

requests.Response.

create_kubernetes_role(name, bound_service_account_names, bound_service_account_namespaces, ttl='', max_ttl='', period='', policies=None, token_type='', mount_point='kubernetes')[source]

POST /auth/<mount_point>/role/:name

Parameters
  • name (str.) – Name of the role.

  • bound_service_account_names (list.) – List of service account names able to access this role. If set to “*” all names are allowed, both this and bound_service_account_namespaces can not be “*”.

  • bound_service_account_namespaces (list.) – List of namespaces allowed to access this role. If set to “*” all namespaces are allowed, both this and bound_service_account_names can not be set to “*”.

  • ttl (str.) – The TTL period of tokens issued using this role in seconds.

  • max_ttl (str.) – The maximum allowed lifetime of tokens issued in seconds using this role.

  • period (str.) – If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this parameter.

  • policies (list.) – Policies to be set on tokens issued using this role

  • mount_point (str.) – The “path” the k8s auth backend was mounted on. Vault currently defaults to “kubernetes”.

Returns

Will be an empty body with a 204 status code upon success

Return type

requests.Response.

create_role(role_name, mount_point='approle', **kwargs)[source]
Call to deprecated function ‘create_role’. This method will be removed in version ‘0.12.0’ Please use the ‘create_or_update_approle’ method on the ‘hvac.api.auth_methods.approle’ class moving forward.

Docstring content from this method’s replacement copied below:

Create/update approle.

Supported methods:

POST: /auth/{mount_point}/role/{role_name}. Produces: 204 (empty body)

Parameters
  • role_name (str | unicode) – The name for the approle.

  • bind_secret_id (bool) – Require secret_id to be presented when logging in using this approle.

  • secret_id_bound_cidrs (list) – Blocks of IP addresses which can perform login operations.

  • secret_id_num_uses (int) – Number of times any secret_id can be used to fetch a token. A value of zero allows unlimited uses.

  • secret_id_ttl (str | unicode) – Duration after which a secret_id expires. This can be specified as an integer number of seconds or as a duration value like “5m”.

  • enable_local_secret_ids (bool) – Secret IDs generated using role will be cluster local.

  • token_ttl (str | unicode) – Incremental lifetime for generated tokens. This can be specified as an integer number of seconds or as a duration value like “5m”.

  • token_max_ttl (str | unicode) – Maximum lifetime for generated tokens: This can be specified as an integer number of seconds or as a duration value like “5m”.

  • token_policies (list) – List of policies to encode onto generated tokens.

  • token_bound_cidrs (list) – Blocks of IP addresses which can authenticate successfully.

  • token_explicit_max_ttl (str | unicode) – If set, will encode an explicit max TTL onto the token. This can be specified as an integer number of seconds or as a duration value like “5m”.

  • token_no_default_policy (bool) – Do not add the default policy to generated tokens, use only tokens specified in token_policies.

  • token_num_uses (int) – Maximum number of times a generated token may be used. A value of zero allows unlimited uses.

  • token_period (str | unicode) – The period, if any, to set on the token. This can be specified as an integer number of seconds or as a duration value like “5m”.

  • token_type (str | unicode) – The type of token that should be generated, can be “service”, “batch”, or “default”.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

create_role_custom_secret_id(role_name, secret_id, meta=None, mount_point='approle')[source]
Call to deprecated function ‘create_role_custom_secret_id’. This method will be removed in version ‘0.12.0’ Please use the ‘create_custom_secret_id’ method on the ‘hvac.api.auth_methods.approle’ class moving forward.

Docstring content from this method’s replacement copied below:

Generates and issues a new Secret ID on a role in the auth method.

Supported methods:

POST: /auth/{mount_point}/role/{role_name}/custom-secret-id. Produces: 200 application/json

Parameters
  • role_name (str | unicode) – The name for the role.

  • secret_id (str | unicode) – The Secret ID to read.

  • metadata (dict) – Metadata to be tied to the Secret ID.

  • cidr_list (list) – Blocks of IP addresses which can perform login operations.

  • token_bound_cidrs (list) – Blocks of IP addresses which can authenticate successfully.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns

The JSON response of the read_role_id request.

Return type

dict

create_role_secret_id(role_name, meta=None, cidr_list=None, token_bound_cidrs=None, wrap_ttl=None, mount_point='approle')[source]
Call to deprecated function ‘create_role_secret_id’. This method will be removed in version ‘0.12.0’ Please use the ‘generate_secret_id’ method on the ‘hvac.api.auth_methods.approle’ class moving forward.

Docstring content from this method’s replacement copied below:

Generates and issues a new Secret ID on a role in the auth method.

Supported methods:

POST: /auth/{mount_point}/role/{role_name}/secret-id. Produces: 200 application/json

Parameters
  • role_name (str | unicode) – The name for the role.

  • metadata (dict) – Metadata to be tied to the Secret ID.

  • cidr_list (list) – Blocks of IP addresses which can perform login operations.

  • token_bound_cidrs (list) – Blocks of IP addresses which can authenticate successfully.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns

The JSON response of the read_role_id request.

Return type

dict

create_token(role=None, token_id=None, policies=None, meta=None, no_parent=False, lease=None, display_name=None, num_uses=None, no_default_policy=False, ttl=None, orphan=False, wrap_ttl=None, renewable=None, explicit_max_ttl=None, period=None, token_type=None)[source]

POST /auth/token/create

POST /auth/token/create/<role>

POST /auth/token/create-orphan

Parameters
  • role

  • token_id

  • policies

  • meta

  • no_parent

  • lease

  • display_name

  • num_uses

  • no_default_policy

  • ttl

  • orphan

  • wrap_ttl

  • renewable

  • explicit_max_ttl

  • period

  • token_type

Returns

Return type

create_token_role(role, allowed_policies=None, disallowed_policies=None, orphan=None, period=None, renewable=None, path_suffix=None, explicit_max_ttl=None)[source]

POST /auth/token/roles/<role>

Parameters
  • role

  • allowed_policies

  • disallowed_policies

  • orphan

  • period

  • renewable

  • path_suffix

  • explicit_max_ttl

Returns

Return type

create_user_id(user_id, app_id, cidr_block=None, mount_point='app-id', **kwargs)[source]

POST /auth/<mount point>/map/user-id/<user_id>

Parameters
  • user_id

  • app_id

  • cidr_block

  • mount_point

  • kwargs

Returns

Return type

create_userpass(username, password, policies, mount_point='userpass', **kwargs)[source]

POST /auth/<mount point>/users/<username>

Parameters
  • username

  • password

  • policies

  • mount_point

  • kwargs

Returns

Return type

create_vault_ec2_certificate_configuration(cert_name, aws_public_cert, mount_point='aws-ec2')[source]
Call to deprecated function ‘create_vault_ec2_certificate_configuration’. This method will be removed in version ‘0.11.2’ Please use the ‘create_certificate_configuration’ method on the ‘hvac.api.auth_methods.aws’ class moving forward.

Docstring content from this method’s replacement copied below: Register AWS public key to be used to verify the instance identity documents.

While the PKCS#7 signature of the identity documents have DSA digest, the identity signature will have RSA digest, and hence the public keys for each type varies respectively. Indicate the type of the public key using the “type” parameter

Supported methods:

POST: /auth/{mount_point}/config/certificate/:cert_name Produces: 204 (empty body)

Parameters
  • cert_name (string | unicode) – Name of the certificate

  • aws_public_cert – Base64 encoded AWS Public key required to verify PKCS7 signature of the EC2 instance metadata

  • document_type (string | unicode) – Takes the value of either “pkcs7” or “identity”, indicating the type of document which can be verified using the given certificate

  • mount_point (str | unicode) – The path the AWS auth method was mounted on.

Returns

The response of the request

Return type

request.Response

create_vault_ec2_client_configuration(access_key, secret_key, endpoint=None, mount_point='aws-ec2')[source]
Call to deprecated function ‘create_vault_ec2_client_configuration’. This method will be removed in version ‘0.11.2’ Please use the ‘configure’ method on the ‘hvac.api.auth_methods.aws’ class moving forward.

Docstring content from this method’s replacement copied below: Configure the credentials required to perform API calls to AWS as well as custom endpoints to talk to AWS API.

The instance identity document fetched from the PKCS#7 signature will provide the EC2 instance ID. The credentials configured using this endpoint will be used to query the status of the instances via DescribeInstances API. If static credentials are not provided using this endpoint, then the credentials will be retrieved from the environment variables AWS_ACCESS_KEY, AWS_SECRET_KEY and AWS_REGION respectively. If the credentials are still not found and if the method is configured on an EC2 instance with metadata querying capabilities, the credentials are fetched automatically

Supported methods:

POST: /auth/{mount_point}/config Produces: 204 (empty body)

Parameters
  • max_retries (int) – Number of max retries the client should use for recoverable errors. The default (-1) falls back to the AWS SDK’s default behavior

  • access_key (str | unicode) – AWS Access key with permissions to query AWS APIs. The permissions required depend on the specific configurations. If using the iam auth method without inferencing, then no credentials are necessary. If using the ec2 auth method or using the iam auth method with inferencing, then these credentials need access to ec2:DescribeInstances. If additionally a bound_iam_role is specified, then these credentials also need access to iam:GetInstanceProfile. If, however, an alternate sts configuration is set for the target account, then the credentials must be permissioned to call sts:AssumeRole on the configured role, and that role must have the permissions described here

  • secret_key (str | unicode) – AWS Secret key with permissions to query AWS APIs

  • endpoint (str | unicode) – URL to override the default generated endpoint for making AWS EC2 API calls

  • iam_endpoint (str | unicode) – URL to override the default generated endpoint for making AWS IAM API calls

  • sts_endpoint (str | unicode) – URL to override the default generated endpoint for making AWS STS API calls

  • iam_server_id_header_value (str | unicode) – The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the iam auth method. If not set, then no value is required or validated. If set, clients must include an X-Vault-AWS-IAM-Server-ID header in the headers of login requests, and further this header must be among the signed headers validated by AWS. This is to protect against different types of replay attacks, for example a signed request sent to a dev server being resent to a production server

  • mount_point (str | unicode) – The path the AWS auth method was mounted on.

Returns

The response of the request.

Return type

requests.Response

delete(path)[source]

DELETE /<path>

Parameters

path

Returns

Return type

delete_app_id(app_id, mount_point='app-id')[source]

DELETE /auth/<mount_point>/map/app-id/<app_id>

Parameters
  • app_id

  • mount_point

Returns

Return type

delete_ec2_role(role, mount_point='aws-ec2')[source]
Call to deprecated function ‘delete_ec2_role’. This method will be removed in version ‘0.11.2’ Please use the ‘delete_role’ method on the ‘hvac.api.auth_methods.aws’ class moving forward.

Docstring content from this method’s replacement copied below: Deletes the previously registered role

Parameters
  • role

  • mount_point (str) – The path the AWS auth method was mounted on.

Returns

The response of the request.

Return type

requests.Response

delete_kubernetes_role(role, mount_point='kubernetes')[source]

DELETE /auth/<mount_point>/role/:role

Parameters
  • role (Name of the role.) – str.

  • mount_point (str.) – The “path” the k8s auth backend was mounted on. Vault currently defaults to “kubernetes”.

Returns

Will be an empty body with a 204 status code upon success.

Return type

requests.Response.

delete_policy(name)[source]
Call to deprecated function ‘delete_policy’. This method will be removed in version ‘0.9.0’ Please use the ‘delete_policy’ method on the ‘hvac.api.system_backend.policy’ class moving forward.

Docstring content from this method’s replacement copied below: Delete the policy with the given name.

This will immediately affect all users associated with this policy.

Supported methods:

DELETE: /sys/policy/{name}. Produces: 204 (empty body)

Parameters

name (str | unicode) – Specifies the name of the policy to delete.

Returns

The response of the request.

Return type

requests.Response

delete_role(role_name, mount_point='approle')[source]
Call to deprecated function ‘delete_role’. This method will be removed in version ‘0.12.0’ Please use the ‘delete_role’ method on the ‘hvac.api.auth_methods.approle’ class moving forward.

Docstring content from this method’s replacement copied below:

Delete role in the auth method.

Supported methods:

DELETE: /auth/{mount_point}/role/{role_name}. Produces: 204 (empty body)

Parameters
  • role_name (str | unicode) – The name for the role.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

delete_role_secret_id(role_name, secret_id, mount_point='approle')[source]
Call to deprecated function ‘delete_role_secret_id’. This method will be removed in version ‘0.12.0’ Please use the ‘destroy_secret_id’ method on the ‘hvac.api.auth_methods.approle’ class moving forward.

Docstring content from this method’s replacement copied below:

Destroys a Secret ID for a role in the auth method.

Supported methods:

POST: /auth/{mount_point}/role/{role_name}/secret-id/destroy. Produces 204 (empty body)

Parameters
  • role_name (str | unicode) – The name for the role

  • secret_id (str | unicode) – The Secret ID to read.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

delete_role_secret_id_accessor(role_name, secret_id_accessor, mount_point='approle')[source]
Call to deprecated function ‘delete_role_secret_id_accessor’. This method will be removed in version ‘0.12.0’ Please use the ‘destroy_secret_id_accessor’ method on the ‘hvac.api.auth_methods.approle’ class moving forward.

Docstring content from this method’s replacement copied below:

Destroys a Secret ID for a role in the auth method.

Supported methods:

POST: /auth/{mount_point}/role/{role_name}/secret-id-accessor/destroy. Produces: 204 (empty body)

Parameters
  • role_name (str | unicode) – The name for the role

  • secret_id_accessor (str | unicode) – The accessor for the Secret ID to read.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

delete_token_role(role)[source]

Deletes the named token role.

Parameters

role

Returns

Return type

delete_user_id(user_id, mount_point='app-id')[source]

DELETE /auth/<mount_point>/map/user-id/<user_id>

Parameters
  • user_id

  • mount_point

Returns

Return type

delete_userpass(username, mount_point='userpass')[source]

DELETE /auth/<mount point>/users/<username>

Parameters
  • username

  • mount_point

Returns

Return type

delete_vault_ec2_client_configuration(mount_point='aws-ec2')[source]
Call to deprecated function ‘delete_vault_ec2_client_configuration’. This method will be removed in version ‘0.11.2’ Please use the ‘delete_config’ method on the ‘hvac.api.auth_methods.aws’ class moving forward.

Docstring content from this method’s replacement copied below: Delete previously configured AWS access credentials,

Supported methods:

DELETE: /auth/{mount_point}/config Produces: 204 (empty body)

Parameters

mount_point (str | unicode) – The path the AWS auth method was mounted on.

Returns

The response of the request.

Return type

requests.Response

disable_audit_backend(name)[source]
Call to deprecated function ‘disable_audit_backend’. This method will be removed in version ‘0.9.0’ Please use the ‘disable_audit_device’ method on the ‘hvac.api.system_backend.audit’ class moving forward.

Docstring content from this method’s replacement copied below: Disable the audit device at the given path.

Supported methods:

DELETE: /sys/audit/{path}. Produces: 204 (empty body)

Parameters

path (str | unicode) – The path of the audit device to delete. This is part of the request URL.

Returns

The response of the request.

Return type

requests.Response

disable_auth_backend(mount_point)[source]
Call to deprecated function ‘disable_auth_backend’. This method will be removed in version ‘0.9.0’ Please use the ‘disable_auth_method’ method on the ‘hvac.api.system_backend.auth’ class moving forward.

Docstring content from this method’s replacement copied below: Disable the auth method at the given auth path.

Supported methods:

DELETE: /sys/auth/{path}. Produces: 204 (empty body)

Parameters

path (str | unicode) – The path the method was mounted on. If not provided, defaults to the value of the “method_type” argument.

Returns

The response of the request.

Return type

requests.Response

disable_secret_backend(mount_point)[source]
Call to deprecated function ‘disable_secret_backend’. This method will be removed in version ‘0.9.0’ Please use the ‘disable_secrets_engine’ method on the ‘hvac.api.system_backend.mount’ class moving forward.

Docstring content from this method’s replacement copied below: Disable the mount point specified by the provided path.

Supported methods:

DELETE: /sys/mounts/{path}. Produces: 204 (empty body)

Parameters

path (str | unicode) – Specifies the path where the secrets engine will be mounted. This is specified as part of the URL.

Returns

The response of the request.

Return type

requests.Response

enable_audit_backend(backend_type, description=None, options=None, name=None)[source]
Call to deprecated function ‘enable_audit_backend’. This method will be removed in version ‘0.9.0’ Please use the ‘enable_audit_device’ method on the ‘hvac.api.system_backend.audit’ class moving forward.

Docstring content from this method’s replacement copied below: Enable a new audit device at the supplied path.

The path can be a single word name or a more complex, nested path.

Supported methods:

PUT: /sys/audit/{path}. Produces: 204 (empty body)

Parameters
  • device_type (str | unicode) – Specifies the type of the audit device.

  • description (str | unicode) – Human-friendly description of the audit device.

  • options (str | unicode) – Configuration options to pass to the audit device itself. This is dependent on the audit device type.

  • path (str | unicode) – Specifies the path in which to enable the audit device. This is part of the request URL.

  • local (bool) – Specifies if the audit device is a local only.

Returns

The response of the request.

Return type

requests.Response

enable_auth_backend(backend_type, description=None, mount_point=None, config=None, plugin_name=None)[source]
Call to deprecated function ‘enable_auth_backend’. This method will be removed in version ‘0.9.0’ Please use the ‘enable_auth_method’ method on the ‘hvac.api.system_backend.auth’ class moving forward.

Docstring content from this method’s replacement copied below: Enable a new auth method.

After enabling, the auth method can be accessed and configured via the auth path specified as part of the URL. This auth path will be nested under the auth prefix.

Supported methods:

POST: /sys/auth/{path}. Produces: 204 (empty body)

Parameters
  • method_type (str | unicode) – The name of the authentication method type, such as “github” or “token”.

  • description (str | unicode) – A human-friendly description of the auth method.

  • config (dict) –

    Configuration options for this auth method. These are the possible values:

    • default_lease_ttl: The default lease duration, specified as a string duration like “5s” or “30m”.

    • max_lease_ttl: The maximum lease duration, specified as a string duration like “5s” or “30m”.

    • audit_non_hmac_request_keys: Comma-separated list of keys that will not be HMAC’d by audit devices in the request data object.

    • audit_non_hmac_response_keys: Comma-separated list of keys that will not be HMAC’d by audit devices in the response data object.

    • listing_visibility: Speficies whether to show this mount in the UI-specific listing endpoint.

    • passthrough_request_headers: Comma-separated list of headers to whitelist and pass from the request to the backend.

  • plugin_name (str | unicode) – The name of the auth plugin to use based from the name in the plugin catalog. Applies only to plugin methods.

  • local (bool) – <Vault enterprise only> Specifies if the auth method is a local only. Local auth methods are not replicated nor (if a secondary) removed by replication.

  • path (str | unicode) – The path to mount the method on. If not provided, defaults to the value of the “method_type” argument.

  • kwargs (dict) – All dicts are accepted and passed to vault. See your specific secret engine for details on which extra key-word arguments you might want to pass.

Returns

The response of the request.

Return type

requests.Response

enable_secret_backend(backend_type, description=None, mount_point=None, config=None, options=None)[source]
Call to deprecated function ‘enable_secret_backend’. This method will be removed in version ‘0.9.0’ Please use the ‘enable_secrets_engine’ method on the ‘hvac.api.system_backend.mount’ class moving forward.

Docstring content from this method’s replacement copied below: Enable a new secrets engine at the given path.

Supported methods:

POST: /sys/mounts/{path}. Produces: 204 (empty body)

Parameters
  • backend_type (str | unicode) – The name of the backend type, such as “github” or “token”.

  • path (str | unicode) – The path to mount the method on. If not provided, defaults to the value of the “backend_type” argument.

  • description (str | unicode) – A human-friendly description of the mount.

  • config (dict) –

    Configuration options for this mount. These are the possible values:

    • default_lease_ttl: The default lease duration, specified as a string duration like “5s” or “30m”.

    • max_lease_ttl: The maximum lease duration, specified as a string duration like “5s” or “30m”.

    • force_no_cache: Disable caching.

    • plugin_name: The name of the plugin in the plugin catalog to use.

    • audit_non_hmac_request_keys: Comma-separated list of keys that will not be HMAC’d by audit devices in the request data object.

    • audit_non_hmac_response_keys: Comma-separated list of keys that will not be HMAC’d by audit devices in the response data object.

    • listing_visibility: Specifies whether to show this mount in the UI-specific listing endpoint. (“unauth” or “hidden”)

    • passthrough_request_headers: Comma-separated list of headers to whitelist and pass from the request to the backend.

  • options (dict) –

    Specifies mount type specific options that are passed to the backend.

    • version: <KV> The version of the KV to mount. Set to “2” for mount KV v2.

  • plugin_name (str | unicode) – Specifies the name of the plugin to use based from the name in the plugin catalog. Applies only to plugin backends.

  • local (bool) – <Vault enterprise only> Specifies if the auth method is a local only. Local auth methods are not replicated nor (if a secondary) removed by replication.

  • seal_wrap (bool) – <Vault enterprise only> Enable seal wrapping for the mount.

  • kwargs (dict) – All dicts are accepted and passed to vault. See your specific secret engine for details on which extra key-word arguments you might want to pass.

Returns

The response of the request.

Return type

requests.Response

generate_root(key, nonce)[source]
Call to deprecated function ‘generate_root’. This method will be removed in version ‘0.9.0’ Please use the ‘generate_root’ method on the ‘hvac.api.system_backend.key’ class moving forward.

Docstring content from this method’s replacement copied below: Enter a single master key share to progress the root generation attempt.

If the threshold number of master key shares is reached, Vault will complete the root generation and issue the new token. Otherwise, this API must be called multiple times until that threshold is met. The attempt nonce must be provided with each call.

Supported methods:

PUT: /sys/generate-root/update. Produces: 200 application/json

Parameters
  • key (str | unicode) – Specifies a single master key share.

  • nonce (str | unicode) – The nonce of the attempt.

Returns

The JSON response of the request.

Return type

dict

property generate_root_status
get_app_id(app_id, mount_point='app-id', wrap_ttl=None)[source]

GET /auth/<mount_point>/map/app-id/<app_id>

Parameters
  • app_id

  • mount_point

  • wrap_ttl

Returns

Return type

get_auth_backend_tuning(backend_type, mount_point=None)[source]
Call to deprecated function ‘get_auth_backend_tuning’. This method will be removed in version ‘0.9.0’ Please use the ‘read_auth_method_tuning’ method on the ‘hvac.api.system_backend.auth’ class moving forward.

Docstring content from this method’s replacement copied below: Read the given auth path’s configuration.

This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via sys/mounts/auth/[auth-path]/tune.

Supported methods:

GET: /sys/auth/{path}/tune. Produces: 200 application/json

Parameters

path (str | unicode) – The path the method was mounted on. If not provided, defaults to the value of the “method_type” argument.

Returns

The JSON response of the request.

Return type

dict

get_backed_up_keys()[source]
Call to deprecated function ‘get_backed_up_keys’. This method will be removed in version ‘0.9.0’ Please use the ‘read_backup_keys’ method on the ‘hvac.api.system_backend.key’ class moving forward.

Docstring content from this method’s replacement copied below: Retrieve the backup copy of PGP-encrypted unseal keys.

The returned value is the nonce of the rekey operation and a map of PGP key fingerprint to hex-encoded PGP-encrypted key.

Supported methods:

PUT: /sys/rekey/backup. Produces: 200 application/json PUT: /sys/rekey-recovery-key/backup. Produces: 200 application/json

Parameters

recovery_key (bool) – If true, send requests to “rekey-recovery-key” instead of “rekey” api path.

Returns

The JSON response of the request.

Return type

dict

get_ec2_role(role, mount_point='aws-ec2')[source]
Call to deprecated function ‘get_ec2_role’. This method will be removed in version ‘0.11.2’ Please use the ‘read_role’ method on the ‘hvac.api.auth_methods.aws’ class moving forward.

Docstring content from this method’s replacement copied below: Returns the previously registered role configuration

Parameters
  • role

  • mount_point (str) – The path the AWS auth method was mounted on.

Returns

The response of the request.

Return type

requests.Response

get_kubernetes_configuration(mount_point='kubernetes')[source]

GET /auth/<mount_point>/config

Parameters

mount_point (str.) – The “path” the k8s auth backend was mounted on. Vault currently defaults to “kubernetes”.

Returns

Parsed JSON response from the config GET request

Return type

dict.

get_kubernetes_role(name, mount_point='kubernetes')[source]

GET /auth/<mount_point>/role/:name

Parameters
  • name (str.) – Name of the role.

  • mount_point (str.) – The “path” the k8s auth backend was mounted on. Vault currently defaults to “kubernetes”.

Returns

Parsed JSON response from the read role GET request

Return type

dict.

get_policy(name, parse=False)[source]

Retrieve the policy body for the named policy.

Parameters
  • name (str | unicode) – The name of the policy to retrieve.

  • parse (bool) – Specifies whether to parse the policy body using pyhcl or not.

Returns

The (optionally parsed) policy body for the specified policy.

Return type

str | dict

get_role(role_name, mount_point='approle')[source]
Call to deprecated function ‘get_role’. This method will be removed in version ‘0.12.0’ Please use the ‘read_role’ method on the ‘hvac.api.auth_methods.approle’ class moving forward.

Docstring content from this method’s replacement copied below:

Read role in the auth method.

Supported methods:

GET: /auth/{mount_point}/role/{role_name}. Produces: 200 application/json

Parameters
  • role_name (str | unicode) – The name for the role.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns

The JSON response of the read_role request.

Return type

dict

get_role_id(role_name, mount_point='approle')[source]
Call to deprecated function ‘get_role_id’. This method will be removed in version ‘0.12.0’ Please use the ‘read_role_id’ method on the ‘hvac.api.auth_methods.approle’ class moving forward.

Docstring content from this method’s replacement copied below:

Reads the Role ID of a role in the auth method.

Supported methods:

GET: /auth/{mount_point}/role/{role_name}/role-id. Produces: 200 application/json

Parameters
  • role_name (str | unicode) – The name for the role.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns

The JSON response of the read_role_id request.

Return type

dict

get_role_secret_id(role_name, secret_id, mount_point='approle')[source]
Call to deprecated function ‘get_role_secret_id’. This method will be removed in version ‘0.12.0’ Please use the ‘read_secret_id’ method on the ‘hvac.api.auth_methods.approle’ class moving forward.

Docstring content from this method’s replacement copied below:

Read the properties of a Secret ID for a role in the auth method.

Supported methods:

POST: /auth/{mount_point}/role/{role_name}/secret-id/lookup. Produces: 200 application/json

Parameters
  • role_name (str | unicode) – The name for the role

  • secret_id (str | unicode) – The Secret ID to read.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns

The JSON response of the read_role_id request.

Return type

dict

get_role_secret_id_accessor(role_name, secret_id_accessor, mount_point='approle')[source]
Call to deprecated function ‘get_role_secret_id_accessor’. This method will be removed in version ‘0.12.0’ Please use the ‘read_secret_id_accessor’ method on the ‘hvac.api.auth_methods.approle’ class moving forward.

Docstring content from this method’s replacement copied below:

Read the properties of a Secret ID for a role in the auth method.

Supported methods:

POST: /auth/{mount_point}/role/{role_name}/secret-id-accessor/lookup. Produces: 200 application/json

Parameters
  • role_name (str | unicode) – The name for the role

  • secret_id_accessor (str | unicode) – The accessor for the Secret ID to read.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns

The JSON response of the read_role_id request.

Return type

dict

get_secret_backend_tuning(backend_type, mount_point=None)[source]
Call to deprecated function ‘get_secret_backend_tuning’. This method will be removed in version ‘0.9.0’ Please use the ‘read_mount_configuration’ method on the ‘hvac.api.system_backend.mount’ class moving forward.

Docstring content from this method’s replacement copied below: Read the given mount’s configuration.

Unlike the mounts endpoint, this will return the current time in seconds for each TTL, which may be the system default or a mount-specific value.

Supported methods:

GET: /sys/mounts/{path}/tune. Produces: 200 application/json

Parameters

path (str | unicode) – Specifies the path where the secrets engine will be mounted. This is specified as part of the URL.

Returns

The JSON response of the request.

Return type

requests.Response

get_user_id(user_id, mount_point='app-id', wrap_ttl=None)[source]

GET /auth/<mount_point>/map/user-id/<user_id>

Parameters
  • user_id

  • mount_point

  • wrap_ttl

Returns

Return type

get_vault_ec2_certificate_configuration(cert_name, mount_point='aws-ec2')[source]
Call to deprecated function ‘get_vault_ec2_certificate_configuration’. This method will be removed in version ‘0.11.2’ Please use the ‘read_certificate_configuration’ method on the ‘hvac.api.auth_methods.aws’ class moving forward.

Docstring content from this method’s replacement copied below: Return previously configured AWS public key.

Supported methods:

GET: /v1/auth/{mount_point}/config/certificate/:cert_name Produces: 200 application/json

Parameters
  • cert_name (str | unicode) – Name of the certificate

  • mount_point – The path the AWS auth method was mounted on.

Returns

The data key from the JSON response of the request.

Return type

dict

get_vault_ec2_client_configuration(mount_point='aws-ec2')[source]
Call to deprecated function ‘get_vault_ec2_client_configuration’. This method will be removed in version ‘0.11.2’ Please use the ‘read_config’ method on the ‘hvac.api.auth_methods.aws’ class moving forward.

Docstring content from this method’s replacement copied below: Read previously configured AWS access credentials.

Supported methods:

GET: /auth/{mount_point}/config. Produces: 200 application/json

Parameters

mount_point (str | unicode) – The path the AWS auth method was mounted on.

Returns

The data key from the JSON response of the request.

Return type

dict

property ha_status

Read the high availability status and current leader instance of Vault.

Returns

The JSON response returned by read_leader_status()

Return type

dict

initialize(secret_shares=5, secret_threshold=3, pgp_keys=None)[source]
Call to deprecated function ‘initialize’. This method will be removed in version ‘0.9.0’ Please use the ‘initialize’ method on the ‘hvac.api.system_backend.init’ class moving forward.

Docstring content from this method’s replacement copied below: Initialize a new Vault.

The Vault must not have been previously initialized. The recovery options, as well as the stored shares option, are only available when using Vault HSM.

Supported methods:

PUT: /sys/init. Produces: 200 application/json

Parameters
  • secret_shares (int) – The number of shares to split the master key into.

  • secret_threshold (int) – Specifies the number of shares required to reconstruct the master key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as secret_shares.

  • pgp_keys (list) – List of PGP public keys used to encrypt the output unseal keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as secret_shares.

  • root_token_pgp_key (str | unicode) – Specifies a PGP public key used to encrypt the initial root token. The key must be base64-encoded from its original binary representation.

  • stored_shares (int) – <enterprise only> Specifies the number of shares that should be encrypted by the HSM and stored for auto-unsealing. Currently must be the same as secret_shares.

  • recovery_shares (int) – <enterprise only> Specifies the number of shares to split the recovery key into.

  • recovery_threshold (int) – <enterprise only> Specifies the number of shares required to reconstruct the recovery key. This must be less than or equal to recovery_shares.

  • recovery_pgp_keys (list) – <enterprise only> Specifies an array of PGP public keys used to encrypt the output recovery keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as recovery_shares.

Returns

The JSON response of the request.

Return type

dict

is_authenticated()[source]

Helper method which returns the authentication status of the client

Returns

Return type

is_initialized()[source]
Call to deprecated function ‘is_initialized’. This method will be removed in version ‘0.9.0’ Please use the ‘is_initialized’ method on the ‘hvac.api.system_backend.init’ class moving forward.

Docstring content from this method’s replacement copied below: Determine is Vault is initialized or not.

Returns

True if Vault is initialized, False otherwise.

Return type

bool

is_sealed()[source]
Call to deprecated function ‘is_sealed’. This method will be removed in version ‘0.9.0’ Please use the ‘is_sealed’ method on the ‘hvac.api.system_backend.seal’ class moving forward.

Docstring content from this method’s replacement copied below: Determine if Vault is sealed.

Returns

True if Vault is seal, False otherwise.

Return type

bool

property key_status

GET /sys/key-status

Returns

Information about the current encryption key used by Vault.

Return type

dict

list(path)[source]

GET /<path>?list=true

Parameters

path

Returns

Return type

list_audit_backends()[source]
Call to deprecated function ‘list_audit_backends’. This method will be removed in version ‘0.9.0’ Please use the ‘list_enabled_audit_devices’ method on the ‘hvac.api.system_backend.audit’ class moving forward.

Docstring content from this method’s replacement copied below: List enabled audit devices.

It does not list all available audit devices. This endpoint requires sudo capability in addition to any path-specific capabilities.

Supported methods:

GET: /sys/audit. Produces: 200 application/json

Returns

JSON response of the request.

Return type

dict

list_auth_backends()[source]
Call to deprecated function ‘list_auth_backends’. This method will be removed in version ‘0.9.0’ Please use the ‘list_auth_methods’ method on the ‘hvac.api.system_backend.auth’ class moving forward.

Docstring content from this method’s replacement copied below: List all enabled auth methods.

Supported methods:

GET: /sys/auth. Produces: 200 application/json

Returns

The JSON response of the request.

Return type

dict

list_ec2_roles(mount_point='aws-ec2')[source]
Call to deprecated function ‘list_ec2_roles’. This method will be removed in version ‘0.11.2’ Please use the ‘list_roles’ method on the ‘hvac.api.auth_methods.aws’ class moving forward.

Docstring content from this method’s replacement copied below: Lists all the roles that are registered with the method

Parameters

mount_point (str) – The path the AWS auth method was mounted on.

Returns

The response of the request.

Return type

requests.Response

list_kubernetes_roles(mount_point='kubernetes')[source]

GET /auth/<mount_point>/role?list=true

Parameters

mount_point (str.) – The “path” the k8s auth backend was mounted on. Vault currently defaults to “kubernetes”.

Returns

Parsed JSON response from the list roles GET request.

Return type

dict.

list_policies()[source]
Call to deprecated function ‘list_policies’. This method will be removed in version ‘0.9.0’ Please use the ‘list_policies’ method on the ‘hvac.api.system_backend.policy’ class moving forward.

Docstring content from this method’s replacement copied below: List all configured policies.

Supported methods:

GET: /sys/policy. Produces: 200 application/json

Returns

The JSON response of the request.

Return type

dict

list_role_secrets(role_name, mount_point='approle')[source]
Call to deprecated function ‘list_role_secrets’. This method will be removed in version ‘0.12.0’ Please use the ‘list_secret_id_accessors’ method on the ‘hvac.api.auth_methods.approle’ class moving forward.

Docstring content from this method’s replacement copied below:

Lists accessors of all issued Secret IDs for a role in the auth method.

Supported methods:

LIST: /auth/{mount_point}/role/{role_name}/secret-id. Produces: 200 application/json

Parameters
  • role_name (str | unicode) – The name for the role

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns

The JSON response of the read_role_id request.

Return type

dict

list_roles(mount_point='approle')[source]
Call to deprecated function ‘list_roles’. This method will be removed in version ‘0.12.0’ Please use the ‘list_roles’ method on the ‘hvac.api.auth_methods.approle’ class moving forward.

Docstring content from this method’s replacement copied below:

List existing roles created in the auth method.

Supported methods:

LIST: /auth/{mount_point}/role. Produces: 200 application/json

Parameters

mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns

The JSON response of the list_roles request.

Return type

dict

list_secret_backends()[source]
Call to deprecated function ‘list_secret_backends’. This method will be removed in version ‘0.9.0’ Please use the ‘list_mounted_secrets_engines’ method on the ‘hvac.api.system_backend.mount’ class moving forward.

Docstring content from this method’s replacement copied below: Lists all the mounted secrets engines.

Supported methods:

POST: /sys/mounts. Produces: 200 application/json

Returns

JSON response of the request.

Return type

dict

list_token_roles()[source]

GET /auth/token/roles?list=true

Returns

Return type

list_userpass(mount_point='userpass')[source]

GET /auth/<mount point>/users?list=true

Parameters

mount_point

Returns

Return type

list_vault_ec2_certificate_configurations(mount_point='aws-ec2')[source]
Call to deprecated function ‘list_vault_ec2_certificate_configurations’. This method will be removed in version ‘0.11.2’ Please use the ‘list_certificate_configurations’ method on the ‘hvac.api.auth_methods.aws’ class moving forward.

Docstring content from this method’s replacement copied below: List AWS public certificates that are registered with the method.

Supported methods

LIST: /auth/{mount_point}/config/certificates Produces: 200 application/json

Parameters

mount_point (str) – The path the AWS auth method was mounted on.

Returns

The response of the request.

Return type

requests.Response

login(url, use_token=True, **kwargs)[source]

Perform a login request.

Associated request is typically to a path prefixed with “/v1/auth”) and optionally stores the client token sent

in the resulting Vault response for use by the hvac.adapters.Adapter() instance under the _adapater Client attribute.

Parameters
  • url (str | unicode) – Path to send the authentication request to.

  • use_token (bool) – if True, uses the token in the response received from the auth request to set the “token” attribute on the the hvac.adapters.Adapter() instance under the _adapater Client attribute.

  • kwargs (dict) – Additional keyword arguments to include in the params sent with the request.

Returns

The response of the auth request.

Return type

requests.Response

logout(revoke_token=False)[source]

Clears the token used for authentication, optionally revoking it before doing so.

Parameters

revoke_token

Returns

Return type

lookup_token(token=None, accessor=False, wrap_ttl=None)[source]

GET /auth/token/lookup/<token>

GET /auth/token/lookup-accessor/<token-accessor>

GET /auth/token/lookup-self

Parameters
  • token (str.) –

  • accessor (str.) –

  • wrap_ttl (int.) –

Returns

Return type

read(path, wrap_ttl=None)[source]

GET /<path>

Parameters
  • path

  • wrap_ttl

Returns

Return type

read_lease(lease_id)[source]
Call to deprecated function ‘read_lease’. This method will be removed in version ‘0.9.0’ Please use the ‘read_lease’ method on the ‘hvac.api.system_backend.lease’ class moving forward.

Docstring content from this method’s replacement copied below: Retrieve lease metadata.

Supported methods:

PUT: /sys/leases/lookup. Produces: 200 application/json

Parameters

lease_id (str | unicode) – the ID of the lease to lookup.

Returns

Parsed JSON response from the leases PUT request

Return type

dict.

read_userpass(username, mount_point='userpass')[source]

GET /auth/<mount point>/users/<username>

Parameters
  • username

  • mount_point

Returns

Return type

rekey(key, nonce=None)[source]
Call to deprecated function ‘rekey’. This method will be removed in version ‘0.9.0’ Please use the ‘rekey’ method on the ‘hvac.api.system_backend.key’ class moving forward.

Docstring content from this method’s replacement copied below: Enter a single recovery key share to progress the rekey of the Vault.

If the threshold number of recovery key shares is reached, Vault will complete the rekey. Otherwise, this API must be called multiple times until that threshold is met. The rekey nonce operation must be provided with each call.

Supported methods:

PUT: /sys/rekey/update. Produces: 200 application/json PUT: /sys/rekey-recovery-key/update. Produces: 200 application/json

Parameters
  • key (str | unicode) – Specifies a single recovery share key.

  • nonce (str | unicode) – Specifies the nonce of the rekey operation.

  • recovery_key (bool) – If true, send requests to “rekey-recovery-key” instead of “rekey” api path.

Returns

The JSON response of the request.

Return type

dict

rekey_multi(keys, nonce=None)[source]
Call to deprecated function ‘rekey_multi’. This method will be removed in version ‘0.9.0’ Please use the ‘rekey_multi’ method on the ‘hvac.api.system_backend.key’ class moving forward.

Docstring content from this method’s replacement copied below: Enter multiple recovery key shares to progress the rekey of the Vault.

If the threshold number of recovery key shares is reached, Vault will complete the rekey.

Parameters
  • keys (list) – Specifies multiple recovery share keys.

  • nonce (str | unicode) – Specifies the nonce of the rekey operation.

  • recovery_key (bool) – If true, send requests to “rekey-recovery-key” instead of “rekey” api path.

Returns

The last response of the rekey request.

Return type

response.Request

property rekey_status
remount_secret_backend(from_mount_point, to_mount_point)[source]
Call to deprecated function ‘remount_secret_backend’. This method will be removed in version ‘0.9.0’ Please use the ‘move_backend’ method on the ‘hvac.api.system_backend.mount’ class moving forward.

Docstring content from this method’s replacement copied below: Move an already-mounted backend to a new mount point.

Supported methods:

POST: /sys/remount. Produces: 204 (empty body)

Parameters
  • from_path (str | unicode) – Specifies the previous mount point.

  • to_path (str | unicode) – Specifies the new destination mount point.

Returns

The response of the request.

Return type

requests.Response

renew_secret(lease_id, increment=None)[source]
Call to deprecated function ‘renew_secret’. This method will be removed in version ‘0.9.0’ Please use the ‘renew_lease’ method on the ‘hvac.api.system_backend.lease’ class moving forward.

Docstring content from this method’s replacement copied below: Renew a lease, requesting to extend the lease.

Supported methods:

PUT: /sys/leases/renew. Produces: 200 application/json

Parameters
  • lease_id (str | unicode) – The ID of the lease to extend.

  • increment (int) – The requested amount of time (in seconds) to extend the lease.

Returns

The JSON response of the request

Return type

dict

renew_self_token(increment=None, wrap_ttl=None)[source]

POST /auth/token/renew-self

Parameters
  • increment

  • wrap_ttl

Returns

Return type

renew_token(token=None, increment=None, wrap_ttl=None)[source]

POST /auth/token/renew

POST /auth/token/renew-self

Parameters
  • token

  • increment

  • wrap_ttl

Returns

Return type

For calls expecting to hit the renew-self endpoint please use the “renew_self_token” method instead

revoke_secret(lease_id)[source]
Call to deprecated function ‘revoke_secret’. This method will be removed in version ‘0.9.0’ Please use the ‘revoke_lease’ method on the ‘hvac.api.system_backend.lease’ class moving forward.

Docstring content from this method’s replacement copied below: Revoke a lease immediately.

Supported methods:

PUT: /sys/leases/revoke. Produces: 204 (empty body)

Parameters

lease_id (str | unicode) – Specifies the ID of the lease to revoke.

Returns

The response of the request.

Return type

requests.Response

revoke_secret_prefix(path_prefix)[source]
Call to deprecated function ‘revoke_secret_prefix’. This method will be removed in version ‘0.9.0’ Please use the ‘revoke_lease’ method on the ‘hvac.api.system_backend.lease’ class moving forward.

Docstring content from this method’s replacement copied below: Revoke a lease immediately.

Supported methods:

PUT: /sys/leases/revoke. Produces: 204 (empty body)

Parameters

lease_id (str | unicode) – Specifies the ID of the lease to revoke.

Returns

The response of the request.

Return type

requests.Response

revoke_self_token()[source]

PUT /auth/token/revoke-self

Returns

Return type

revoke_token(token, orphan=False, accessor=False)[source]

POST /auth/token/revoke

POST /auth/token/revoke-orphan

POST /auth/token/revoke-accessor

Parameters
  • token

  • orphan

  • accessor

Returns

Return type

revoke_token_prefix(prefix)[source]

POST /auth/token/revoke-prefix/<prefix>

Parameters

prefix

Returns

Return type

rotate()[source]
Call to deprecated function ‘rotate’. This method will be removed in version ‘0.9.0’ Please use the ‘rotate_encryption_key’ method on the ‘hvac.api.system_backend.key’ class moving forward.

Docstring content from this method’s replacement copied below: Trigger a rotation of the backend encryption key.

This is the key that is used to encrypt data written to the storage backend, and is not provided to operators. This operation is done online. Future values are encrypted with the new key, while old values are decrypted with previous encryption keys.

This path requires sudo capability in addition to update.

Supported methods:

PUT: /sys/rorate. Produces: 204 (empty body)

Returns

The response of the request.

Return type

requests.Response

seal()[source]
Call to deprecated function ‘seal’. This method will be removed in version ‘0.9.0’ Please use the ‘seal’ method on the ‘hvac.api.system_backend.seal’ class moving forward.

Docstring content from this method’s replacement copied below: Seal the Vault.

In HA mode, only an active node can be sealed. Standby nodes should be restarted to get the same effect. Requires a token with root policy or sudo capability on the path.

Supported methods:

PUT: /sys/seal. Produces: 204 (empty body)

Returns

The response of the request.

Return type

requests.Response

property seal_status

Read the seal status of the Vault.

This is an unauthenticated endpoint.

Supported methods:

GET: /sys/seal-status. Produces: 200 application/json

Returns

The JSON response of the request.

Return type

dict

property secrets

Accessor for the Client instance’s secrets engines. Provided via the hvac.api.SecretsEngines class.

Returns

This Client instance’s associated SecretsEngines instance.

Return type

hvac.api.SecretsEngines

property session
set_policy(name, rules)[source]
Call to deprecated function ‘set_policy’. This method will be removed in version ‘0.9.0’ Please use the ‘create_or_update_policy’ method on the ‘hvac.api.system_backend.policy’ class moving forward.

Docstring content from this method’s replacement copied below: Add a new or update an existing policy.

Once a policy is updated, it takes effect immediately to all associated users.

Supported methods:

PUT: /sys/policy/{name}. Produces: 204 (empty body)

Parameters
  • name (str | unicode) – Specifies the name of the policy to create.

  • policy (str | unicode | dict) – Specifies the policy document.

  • pretty_print (bool) – If True, and provided a dict for the policy argument, send the policy JSON to Vault with “pretty” formatting.

Returns

The response of the request.

Return type

requests.Response

set_role_id(role_name, role_id, mount_point='approle')[source]
Call to deprecated function ‘set_role_id’. This method will be removed in version ‘0.12.0’ Please use the ‘update_role_id’ method on the ‘hvac.api.auth_methods.approle’ class moving forward.

Docstring content from this method’s replacement copied below:

Updates the Role ID of a role in the auth method.

Supported methods:

POST: /auth/{mount_point}/role/{role_name}/role-id. Produces: 200 application/json

Parameters
  • role_name (str | unicode) – The name for the role.

  • role_id (str | unicode) – New value for the Role ID.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns

The JSON response of the read_role_id request.

Return type

dict

start_generate_root(key, otp=False)[source]
Call to deprecated function ‘start_generate_root’. This method will be removed in version ‘0.9.0’ Please use the ‘start_root_token_generation’ method on the ‘hvac.api.system_backend.key’ class moving forward.

Docstring content from this method’s replacement copied below: Initialize a new root generation attempt.

Only a single root generation attempt can take place at a time. One (and only one) of otp or pgp_key are required.

Supported methods:

PUT: /sys/generate-root/attempt. Produces: 200 application/json

Parameters
  • otp (str | unicode) – Specifies a base64-encoded 16-byte value. The raw bytes of the token will be XOR’d with this value before being returned to the final unseal key provider.

  • pgp_key (str | unicode) – Specifies a base64-encoded PGP public key. The raw bytes of the token will be encrypted with this value before being returned to the final unseal key provider.

Returns

The JSON response of the request.

Return type

dict

start_rekey(secret_shares=5, secret_threshold=3, pgp_keys=None, backup=False)[source]
Call to deprecated function ‘start_rekey’. This method will be removed in version ‘0.9.0’ Please use the ‘start_rekey’ method on the ‘hvac.api.system_backend.key’ class moving forward.

Docstring content from this method’s replacement copied below: Initializes a new rekey attempt.

Only a single recovery key rekeyattempt can take place at a time, and changing the parameters of a rekey requires canceling and starting a new rekey, which will also provide a new nonce.

Supported methods:

PUT: /sys/rekey/init. Produces: 204 (empty body) PUT: /sys/rekey-recovery-key/init. Produces: 204 (empty body)

Parameters
  • secret_shares (int) – Specifies the number of shares to split the master key into.

  • secret_threshold (int) – Specifies the number of shares required to reconstruct the master key. This must be less than or equal to secret_shares.

  • pgp_keys (list) – Specifies an array of PGP public keys used to encrypt the output unseal keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as secret_shares.

  • backup (bool) – Specifies if using PGP-encrypted keys, whether Vault should also store a plaintext backup of the PGP-encrypted keys at core/unseal-keys-backup in the physical storage backend. These can then be retrieved and removed via the sys/rekey/backup endpoint.

  • require_verification (bool) – This turns on verification functionality. When verification is turned on, after successful authorization with the current unseal keys, the new unseal keys are returned but the master key is not actually rotated. The new keys must be provided to authorize the actual rotation of the master key. This ensures that the new keys have been successfully saved and protects against a risk of the keys being lost after rotation but before they can be persisted. This can be used with without pgp_keys, and when used with it, it allows ensuring that the returned keys can be successfully decrypted before committing to the new shares, which the backup functionality does not provide.

  • recovery_key (bool) – If true, send requests to “rekey-recovery-key” instead of “rekey” api path.

Returns

The JSON dict of the response.

Return type

dict | request.Response

property sys

Accessor for the Client instance’s system backend methods. Provided via the hvac.api.SystemBackend class.

Returns

This Client instance’s associated SystemBackend instance.

Return type

hvac.api.SystemBackend

property token
token_role(role)[source]

Returns the named token role.

Parameters

role

Returns

Return type

transit_create_key(name, convergent_encryption=None, derived=None, exportable=None, key_type=None, mount_point='transit')[source]
Call to deprecated function ‘transit_create_key’. This method will be removed in version ‘0.9.0’ Please use the ‘create_key’ method on the ‘hvac.api.secrets_engines.transit’ class moving forward.

Docstring content from this method’s replacement copied below: Create a new named encryption key of the specified type.

The values set here cannot be changed after key creation.

Supported methods:

POST: /{mount_point}/keys/{name}. Produces: 204 (empty body)

Parameters
  • name (str | unicode) – Specifies the name of the encryption key to create. This is specified as part of the URL.

  • convergent_encryption (bool) – If enabled, the key will support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true. When enabled, each encryption(/decryption/rewrap/datakey) operation will derive a nonce value rather than randomly generate it.

  • derived (bool) – Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this named key must provide a context which is used for key derivation.

  • exportable (bool) – Enables keys to be exportable. This allows for all the valid keys in the key ring to be exported. Once set, this cannot be disabled.

  • allow_plaintext_backup (bool) – If set, enables taking backup of named key in the plaintext format. Once set, this cannot be disabled.

  • key_type (str | unicode) –

    Specifies the type of key to create. The currently-supported types are:

    • aes256-gcm96: AES-256 wrapped with GCM using a 96-bit nonce size AEAD

    • chacha20-poly1305: ChaCha20-Poly1305 AEAD (symmetric, supports derivation and convergent encryption)

    • ed25519: ED25519 (asymmetric, supports derivation).

    • ecdsa-p256: ECDSA using the P-256 elliptic curve (asymmetric)

    • ecdsa-p384: ECDSA using the P-384 elliptic curve (asymmetric)

    • ecdsa-p521: ECDSA using the P-521 elliptic curve (asymmetric)

    • rsa-2048: RSA with bit size of 2048 (asymmetric)

    • rsa-3072: RSA with bit size of 3072 (asymmetric)

    • rsa-4096: RSA with bit size of 4096 (asymmetric)

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns

The response of the request.

Return type

requests.Response

transit_decrypt_data(name, ciphertext, context=None, nonce=None, batch_input=None, mount_point='transit')[source]
Call to deprecated function ‘transit_decrypt_data’. This method will be removed in version ‘0.9.0’ Please use the ‘decrypt_data’ method on the ‘hvac.api.secrets_engines.transit’ class moving forward.

Docstring content from this method’s replacement copied below: Decrypt the provided ciphertext using the named key.

Supported methods:

POST: /{mount_point}/decrypt/{name}. Produces: 200 application/json

Parameters
  • name (str | unicode) – Specifies the name of the encryption key to decrypt against. This is specified as part of the URL.

  • ciphertext (str | unicode) – the ciphertext to decrypt.

  • context (str | unicode) – Specifies the base64 encoded context for key derivation. This is required if key derivation is enabled.

  • nonce (str | unicode) – Specifies a base64 encoded nonce value used during encryption. Must be provided if convergent encryption is enabled for this key and the key was generated with Vault 0.6.1. Not required for keys created in 0.6.2+.

  • batch_input (List[dict]) – Specifies a list of items to be decrypted in a single batch. When this parameter is set, if the parameters ‘ciphertext’, ‘context’ and ‘nonce’ are also set, they will be ignored. Format for the input goes like this: [dict(context=”b64_context”, ciphertext=”b64_plaintext”), …]

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns

The JSON response of the request.

Return type

dict

transit_delete_key(name, mount_point='transit')[source]
Call to deprecated function ‘transit_delete_key’. This method will be removed in version ‘0.9.0’ Please use the ‘delete_key’ method on the ‘hvac.api.secrets_engines.transit’ class moving forward.

Docstring content from this method’s replacement copied below: Delete a named encryption key.

It will no longer be possible to decrypt any data encrypted with the named key. Because this is a potentially catastrophic operation, the deletion_allowed tunable must be set in the key’s /config endpoint.

Supported methods:

DELETE: /{mount_point}/keys/{name}. Produces: 204 (empty body)

Parameters
  • name (str | unicode) – Specifies the name of the encryption key to delete. This is specified as part of the URL.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns

The response of the request.

Return type

requests.Response

transit_encrypt_data(name, plaintext, context=None, key_version=None, nonce=None, batch_input=None, key_type=None, convergent_encryption=None, mount_point='transit')[source]
Call to deprecated function ‘transit_encrypt_data’. This method will be removed in version ‘0.9.0’ Please use the ‘encrypt_data’ method on the ‘hvac.api.secrets_engines.transit’ class moving forward.

Docstring content from this method’s replacement copied below: Encrypt the provided plaintext using the named key.

This path supports the create and update policy capabilities as follows: if the user has the create capability for this endpoint in their policies, and the key does not exist, it will be upserted with default values (whether the key requires derivation depends on whether the context parameter is empty or not). If the user only has update capability and the key does not exist, an error will be returned.

Supported methods:

POST: /{mount_point}/encrypt/{name}. Produces: 200 application/json

Parameters
  • name (str | unicode) – Specifies the name of the encryption key to encrypt against. This is specified as part of the URL.

  • plaintext (str | unicode) – Specifies base64 encoded plaintext to be encoded.

  • context (str | unicode) – Specifies the base64 encoded context for key derivation. This is required if key derivation is enabled for this key.

  • key_version (int) – Specifies the version of the key to use for encryption. If not set, uses the latest version. Must be greater than or equal to the key’s min_encryption_version, if set.

  • nonce (str | unicode) – Specifies the base64 encoded nonce value. This must be provided if convergent encryption is enabled for this key and the key was generated with Vault 0.6.1. Not required for keys created in 0.6.2+. The value must be exactly 96 bits (12 bytes) long and the user must ensure that for any given context (and thus, any given encryption key) this nonce value is never reused.

  • batch_input (List[dict]) – Specifies a list of items to be encrypted in a single batch. When this parameter is set, if the parameters ‘plaintext’, ‘context’ and ‘nonce’ are also set, they will be ignored. The format for the input is: [dict(context=”b64_context”, plaintext=”b64_plaintext”), …]

  • type (str | unicode) – This parameter is required when encryption key is expected to be created. When performing an upsert operation, the type of key to create.

  • convergent_encryption (str | unicode) – This parameter will only be used when a key is expected to be created. Whether to support convergent encryption. This is only supported when using a key with key derivation enabled and will require all requests to carry both a context and 96-bit (12-byte) nonce. The given nonce will be used in place of a randomly generated nonce. As a result, when the same context and nonce are supplied, the same ciphertext is generated. It is very important when using this mode that you ensure that all nonces are unique for a given context. Failing to do so will severely impact the ciphertext’s security.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns

The JSON response of the request.

Return type

dict

transit_export_key(name, key_type, version=None, mount_point='transit')[source]
Call to deprecated function ‘transit_export_key’. This method will be removed in version ‘0.9.0’ Please use the ‘export_key’ method on the ‘hvac.api.secrets_engines.transit’ class moving forward.

Docstring content from this method’s replacement copied below: Return the named key.

The keys object shows the value of the key for each version. If version is specified, the specific version will be returned. If latest is provided as the version, the current key will be provided. Depending on the type of key, different information may be returned. The key must be exportable to support this operation and the version must still be valid.

Supported methods:

GET: /{mount_point}/export/{key_type}/{name}(/{version}). Produces: 200 application/json

Parameters
  • name (str | unicode) – Specifies the name of the key to read information about. This is specified as part of the URL.

  • key_type (str | unicode) – Specifies the type of the key to export. This is specified as part of the URL. Valid values are: encryption-key signing-key hmac-key

  • version (str | unicode) – Specifies the version of the key to read. If omitted, all versions of the key will be returned. If the version is set to latest, the current key will be returned.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns

The JSON response of the request.

Return type

dict

transit_generate_data_key(name, key_type, context=None, nonce=None, bits=None, mount_point='transit')[source]
Call to deprecated function ‘transit_generate_data_key’. This method will be removed in version ‘0.9.0’ Please use the ‘generate_data_key’ method on the ‘hvac.api.secrets_engines.transit’ class moving forward.

Docstring content from this method’s replacement copied below: Generates a new high-entropy key and the value encrypted with the named key.

Optionally return the plaintext of the key as well. Whether plaintext is returned depends on the path; as a result, you can use Vault ACL policies to control whether a user is allowed to retrieve the plaintext value of a key. This is useful if you want an untrusted user or operation to generate keys that are then made available to trusted users.

Supported methods:

POST: /{mount_point}/datakey/{key_type}/{name}. Produces: 200 application/json

Parameters
  • name (str | unicode) – Specifies the name of the encryption key to use to encrypt the datakey. This is specified as part of the URL.

  • key_type (str | unicode) – Specifies the type of key to generate. If plaintext, the plaintext key will be returned along with the ciphertext. If wrapped, only the ciphertext value will be returned. This is specified as part of the URL.

  • context (str | unicode) – Specifies the key derivation context, provided as a base64-encoded string. This must be provided if derivation is enabled.

  • nonce (str | unicode) – Specifies a nonce value, provided as base64 encoded. Must be provided if convergent encryption is enabled for this key and the key was generated with Vault 0.6.1. Not required for keys created in 0.6.2+. The value must be exactly 96 bits (12 bytes) long and the user must ensure that for any given context (and thus, any given encryption key) this nonce value is never reused.

  • bits (int) – Specifies the number of bits in the desired key. Can be 128, 256, or 512.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns

The JSON response of the request.

Return type

dict

transit_generate_hmac(name, hmac_input, key_version=None, algorithm=None, mount_point='transit')[source]
Call to deprecated function ‘transit_generate_hmac’. This method will be removed in version ‘0.9.0’ Please use the ‘generate_hmac’ method on the ‘hvac.api.secrets_engines.transit’ class moving forward.

Docstring content from this method’s replacement copied below: Return the digest of given data using the specified hash algorithm and the named key.

The key can be of any type supported by transit; the raw key will be marshaled into bytes to be used for the HMAC function. If the key is of a type that supports rotation, the latest (current) version will be used.

Supported methods:

POST: /{mount_point}/hmac/{name}(/{algorithm}). Produces: 200 application/json

Parameters
  • name (str | unicode) – Specifies the name of the encryption key to generate hmac against. This is specified as part of the URL.

  • hash_input – Specifies the base64 encoded input data.

  • key_version (int) – Specifies the version of the key to use for the operation. If not set, uses the latest version. Must be greater than or equal to the key’s min_encryption_version, if set.

  • algorithm (str | unicode) – Specifies the hash algorithm to use. This can also be specified as part of the URL. Currently-supported algorithms are: sha2-224, sha2-256, sha2-384, sha2-512

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns

The JSON response of the request.

Return type

dict

transit_generate_rand_bytes(data_bytes=None, output_format=None, mount_point='transit')[source]
Call to deprecated function ‘transit_generate_rand_bytes’. This method will be removed in version ‘0.9.0’ Please use the ‘generate_random_bytes’ method on the ‘hvac.api.secrets_engines.transit’ class moving forward.

Docstring content from this method’s replacement copied below: Return high-quality random bytes of the specified length.

Supported methods:

POST: /{mount_point}/random(/{bytes}). Produces: 200 application/json

Parameters
  • n_bytes (int) – Specifies the number of bytes to return. This value can be specified either in the request body, or as a part of the URL.

  • output_format (str | unicode) – Specifies the output encoding. Valid options are hex or base64.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns

The JSON response of the request.

Return type

dict

transit_hash_data(hash_input, algorithm=None, output_format=None, mount_point='transit')[source]
Call to deprecated function ‘transit_hash_data’. This method will be removed in version ‘0.9.0’ Please use the ‘hash_data’ method on the ‘hvac.api.secrets_engines.transit’ class moving forward.

Docstring content from this method’s replacement copied below: Return the cryptographic hash of given data using the specified algorithm.

Supported methods:

POST: /{mount_point}/hash(/{algorithm}). Produces: 200 application/json

Parameters
  • hash_input (str | unicode) – Specifies the base64 encoded input data.

  • algorithm (str | unicode) – Specifies the hash algorithm to use. This can also be specified as part of the URL. Currently-supported algorithms are: sha2-224, sha2-256, sha2-384, sha2-512

  • output_format (str | unicode) – Specifies the output encoding. This can be either hex or base64.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns

The JSON response of the request.

Return type

dict

transit_list_keys(mount_point='transit')[source]
Call to deprecated function ‘transit_list_keys’. This method will be removed in version ‘0.9.0’ Please use the ‘list_keys’ method on the ‘hvac.api.secrets_engines.transit’ class moving forward.

Docstring content from this method’s replacement copied below: List keys (if there are any).

Only the key names are returned (not the actual keys themselves).

An exception is thrown if there are no keys.

Supported methods:

LIST: /{mount_point}/keys. Produces: 200 application/json

Parameters

mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns

The JSON response of the request.

Return type

dict

transit_read_key(name, mount_point='transit')[source]
Call to deprecated function ‘transit_read_key’. This method will be removed in version ‘0.9.0’ Please use the ‘read_key’ method on the ‘hvac.api.secrets_engines.transit’ class moving forward.

Docstring content from this method’s replacement copied below: Read information about a named encryption key.

The keys object shows the creation time of each key version; the values are not the keys themselves. Depending on the type of key, different information may be returned, e.g. an asymmetric key will return its public key in a standard format for the type.

Supported methods:

GET: /{mount_point}/keys/{name}. Produces: 200 application/json

Parameters
  • name (str | unicode) – Specifies the name of the encryption key to read. This is specified as part of the URL.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns

The JSON response of the read_key request.

Return type

dict

transit_rewrap_data(name, ciphertext, context=None, key_version=None, nonce=None, batch_input=None, mount_point='transit')[source]
Call to deprecated function ‘transit_rewrap_data’. This method will be removed in version ‘0.9.0’ Please use the ‘rewrap_data’ method on the ‘hvac.api.secrets_engines.transit’ class moving forward.

Docstring content from this method’s replacement copied below: Rewrap the provided ciphertext using the latest version of the named key.

Because this never returns plaintext, it is possible to delegate this functionality to untrusted users or scripts.

Supported methods:

POST: /{mount_point}/rewrap/{name}. Produces: 200 application/json

Parameters
  • name (str | unicode) – Specifies the name of the encryption key to re-encrypt against. This is specified as part of the URL.

  • ciphertext (str | unicode) – Specifies the ciphertext to re-encrypt.

  • context (str | unicode) – Specifies the base64 encoded context for key derivation. This is required if key derivation is enabled.

  • key_version (int) – Specifies the version of the key to use for the operation. If not set, uses the latest version. Must be greater than or equal to the key’s min_encryption_version, if set.

  • nonce (str | unicode) – Specifies a base64 encoded nonce value used during encryption. Must be provided if convergent encryption is enabled for this key and the key was generated with Vault 0.6.1. Not required for keys created in 0.6.2+.

  • batch_input (List[dict]) – Specifies a list of items to be decrypted in a single batch. When this parameter is set, if the parameters ‘ciphertext’, ‘context’ and ‘nonce’ are also set, they will be ignored. Format for the input goes like this: [dict(context=”b64_context”, ciphertext=”b64_plaintext”), …]

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns

The JSON response of the request.

Return type

dict

transit_rotate_key(name, mount_point='transit')[source]
Call to deprecated function ‘transit_rotate_key’. This method will be removed in version ‘0.9.0’ Please use the ‘rotate_key’ method on the ‘hvac.api.secrets_engines.transit’ class moving forward.

Docstring content from this method’s replacement copied below: Rotate the version of the named key.

After rotation, new plaintext requests will be encrypted with the new version of the key. To upgrade ciphertext to be encrypted with the latest version of the key, use the rewrap endpoint. This is only supported with keys that support encryption and decryption operations.

Supported methods:

POST: /{mount_point}/keys/{name}/rotate. Produces: 204 (empty body)

Parameters
  • name (str | unicode) – Specifies the name of the key to read information about. This is specified as part of the URL.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns

The response of the request.

Return type

requests.Response

transit_sign_data(name, input_data, key_version=None, algorithm=None, context=None, prehashed=None, mount_point='transit', signature_algorithm='pss')[source]
Call to deprecated function ‘transit_sign_data’. This method will be removed in version ‘0.9.0’ Please use the ‘sign_data’ method on the ‘hvac.api.secrets_engines.transit’ class moving forward.

Docstring content from this method’s replacement copied below: Return the cryptographic signature of the given data using the named key and the specified hash algorithm.

The key must be of a type that supports signing.

Supported methods:

POST: /{mount_point}/sign/{name}(/{hash_algorithm}). Produces: 200 application/json

Parameters
  • name (str | unicode) – Specifies the name of the encryption key to use for signing. This is specified as part of the URL.

  • hash_input (str | unicode) – Specifies the base64 encoded input data.

  • key_version (int) – Specifies the version of the key to use for signing. If not set, uses the latest version. Must be greater than or equal to the key’s min_encryption_version, if set.

  • hash_algorithm (str | unicode) – Specifies the hash algorithm to use for supporting key types (notably, not including ed25519 which specifies its own hash algorithm). This can also be specified as part of the URL. Currently-supported algorithms are: sha2-224, sha2-256, sha2-384, sha2-512

  • context (str | unicode) – Base64 encoded context for key derivation. Required if key derivation is enabled; currently only available with ed25519 keys.

  • prehashed (bool) – Set to true when the input is already hashed. If the key type is rsa-2048 or rsa-4096, then the algorithm used to hash the input should be indicated by the hash_algorithm parameter. Just as the value to sign should be the base64-encoded representation of the exact binary data you want signed, when set, input is expected to be base64-encoded binary hashed data, not hex-formatted. (As an example, on the command line, you could generate a suitable input via openssl dgst -sha256 -binary | base64.)

  • signature_algorithm (str | unicode) – When using a RSA key, specifies the RSA signature algorithm to use for signing. Supported signature types are: pss, pkcs1v15

  • marshaling_algorithm (str | unicode) – Specifies the way in which the signature should be marshaled. This currently only applies to ECDSA keys. Supported types are: asn1, jws

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns

The JSON response of the request.

Return type

dict

transit_update_key(name, min_decryption_version=None, min_encryption_version=None, deletion_allowed=None, mount_point='transit')[source]
Call to deprecated function ‘transit_update_key’. This method will be removed in version ‘0.9.0’ Please use the ‘update_key_configuration’ method on the ‘hvac.api.secrets_engines.transit’ class moving forward.

Docstring content from this method’s replacement copied below: Tune configuration values for a given key.

These values are returned during a read operation on the named key.

Supported methods:

POST: /{mount_point}/keys/{name}/config. Produces: 204 (empty body)

Parameters
  • name (str | unicode) – Specifies the name of the encryption key to update configuration for.

  • min_decryption_version (int) – Specifies the minimum version of ciphertext allowed to be decrypted. Adjusting this as part of a key rotation policy can prevent old copies of ciphertext from being decrypted, should they fall into the wrong hands. For signatures, this value controls the minimum version of signature that can be verified against. For HMACs, this controls the minimum version of a key allowed to be used as the key for verification.

  • min_encryption_version (int) – Specifies the minimum version of the key that can be used to encrypt plaintext, sign payloads, or generate HMACs. Must be 0 (which will use the latest version) or a value greater or equal to min_decryption_version.

  • deletion_allowed (bool) – Specifies if the key is allowed to be deleted.

  • exportable (bool) – Enables keys to be exportable. This allows for all the valid keys in the key ring to be exported. Once set, this cannot be disabled.

  • allow_plaintext_backup (bool) – If set, enables taking backup of named key in the plaintext format. Once set, this cannot be disabled.

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns

The response of the request.

Return type

requests.Response

transit_verify_signed_data(name, input_data, algorithm=None, signature=None, hmac=None, context=None, prehashed=None, mount_point='transit', signature_algorithm='pss')[source]
Call to deprecated function ‘transit_verify_signed_data’. This method will be removed in version ‘0.9.0’ Please use the ‘verify_signed_data’ method on the ‘hvac.api.secrets_engines.transit’ class moving forward.

Docstring content from this method’s replacement copied below: Return whether the provided signature is valid for the given data.

Supported methods:

POST: /{mount_point}/verify/{name}(/{hash_algorithm}). Produces: 200 application/json

Parameters
  • name (str | unicode) – Specifies the name of the encryption key that was used to generate the signature or HMAC.

  • hash_input – Specifies the base64 encoded input data.

  • signature (str | unicode) – Specifies the signature output from the /transit/sign function. Either this must be supplied or hmac must be supplied.

  • hmac (str | unicode) – Specifies the signature output from the /transit/hmac function. Either this must be supplied or signature must be supplied.

  • hash_algorithm (str | unicode) – Specifies the hash algorithm to use. This can also be specified as part of the URL. Currently-supported algorithms are: sha2-224, sha2-256, sha2-384, sha2-512

  • context (str | unicode) – Base64 encoded context for key derivation. Required if key derivation is enabled; currently only available with ed25519 keys.

  • prehashed (bool) – Set to true when the input is already hashed. If the key type is rsa-2048 or rsa-4096, then the algorithm used to hash the input should be indicated by the hash_algorithm parameter.

  • signature_algorithm (str | unicode) – When using a RSA key, specifies the RSA signature algorithm to use for signature verification. Supported signature types are: pss, pkcs1v15

  • marshaling_algorithm (str | unicode) – Specifies the way in which the signature should be marshaled. This currently only applies to ECDSA keys. Supported types are: asn1, jws

  • mount_point (str | unicode) – The “path” the method/backend was mounted on.

Returns

The JSON response of the request.

Return type

dict

tune_auth_backend(backend_type, mount_point=None, default_lease_ttl=None, max_lease_ttl=None, description=None, audit_non_hmac_request_keys=None, audit_non_hmac_response_keys=None, listing_visibility='', passthrough_request_headers=None)[source]
Call to deprecated function ‘tune_auth_backend’. This method will be removed in version ‘0.9.0’ Please use the ‘tune_auth_method’ method on the ‘hvac.api.system_backend.auth’ class moving forward.

Docstring content from this method’s replacement copied below: Tune configuration parameters for a given auth path.

This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via sys/mounts/auth/[auth-path]/tune.

Supported methods:

POST: /sys/auth/{path}/tune. Produces: 204 (empty body)

Parameters
  • path (str | unicode) – The path the method was mounted on. If not provided, defaults to the value of the “method_type” argument.

  • default_lease_ttl (int) – Specifies the default time-to-live. If set on a specific auth path, this overrides the global default.

  • max_lease_ttl (int) – The maximum time-to-live. If set on a specific auth path, this overrides the global default.

  • description (str | unicode) – Specifies the description of the mount. This overrides the current stored value, if any.

  • audit_non_hmac_request_keys (array) – Specifies the list of keys that will not be HMAC’d by audit devices in the request data object.

  • audit_non_hmac_response_keys (list) – Specifies the list of keys that will not be HMAC’d by audit devices in the response data object.

  • listing_visibility (list) – Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are “unauth” or “”.

  • passthrough_request_headers (list) – List of headers to whitelist and pass from the request to the backend.

  • kwargs (dict) – All dicts are accepted and passed to vault. See your specific secret engine for details on which extra key-word arguments you might want to pass.

Returns

The response of the request.

Return type

requests.Response

tune_secret_backend(backend_type, mount_point=None, default_lease_ttl=None, max_lease_ttl=None, description=None, audit_non_hmac_request_keys=None, audit_non_hmac_response_keys=None, listing_visibility=None, passthrough_request_headers=None)[source]
Call to deprecated function ‘tune_secret_backend’. This method will be removed in version ‘0.9.0’ Please use the ‘tune_mount_configuration’ method on the ‘hvac.api.system_backend.mount’ class moving forward.

Docstring content from this method’s replacement copied below: Tune configuration parameters for a given mount point.

Supported methods:

POST: /sys/mounts/{path}/tune. Produces: 204 (empty body)

Parameters
  • path (str | unicode) – Specifies the path where the secrets engine will be mounted. This is specified as part of the URL.

  • mount_point (str) – The path the associated secret backend is mounted

  • description (str) – Specifies the description of the mount. This overrides the current stored value, if any.

  • default_lease_ttl (int) – Default time-to-live. This overrides the global default. A value of 0 is equivalent to the system default TTL

  • max_lease_ttl (int) – Maximum time-to-live. This overrides the global default. A value of 0 are equivalent and set to the system max TTL.

  • audit_non_hmac_request_keys (list) – Specifies the comma-separated list of keys that will not be HMAC’d by audit devices in the request data object.

  • audit_non_hmac_response_keys (list) – Specifies the comma-separated list of keys that will not be HMAC’d by audit devices in the response data object.

  • listing_visibility (str) – Speficies whether to show this mount in the UI-specific listing endpoint. Valid values are “unauth” or “”.

  • passthrough_request_headers (str) – Comma-separated list of headers to whitelist and pass from the request to the backend.

  • options (dict) –

    Specifies mount type specific options that are passed to the backend.

    • version: <KV> The version of the KV to mount. Set to “2” for mount KV v2.

  • force_no_cache (bool) – Disable caching.

  • kwargs (dict) – All dicts are accepted and passed to vault. See your specific secret engine for details on which extra key-word arguments you might want to pass.

Returns

The response from the request.

Return type

request.Response

unseal(key)[source]
Call to deprecated function ‘unseal’. This method will be removed in version ‘0.9.0’ Please use the ‘submit_unseal_key’ method on the ‘hvac.api.system_backend.seal’ class moving forward.

Docstring content from this method’s replacement copied below: Enter a single master key share to progress the unsealing of the Vault.

If the threshold number of master key shares is reached, Vault will attempt to unseal the Vault. Otherwise, this API must be called multiple times until that threshold is met.

Either the key or reset parameter must be provided; if both are provided, reset takes precedence.

Supported methods:

PUT: /sys/unseal. Produces: 200 application/json

Parameters
  • key (str | unicode) – Specifies a single master key share. This is required unless reset is true.

  • reset (bool) – Specifies if previously-provided unseal keys are discarded and the unseal process is reset.

  • migrate – Available in 1.0 Beta - Used to migrate the seal from shamir to autoseal or autoseal to shamir. Must be provided on all unseal key calls.

Type

migrate: bool

Returns

The JSON response of the request.

Return type

dict

unseal_multi(keys)[source]
Call to deprecated function ‘unseal_multi’. This method will be removed in version ‘0.9.0’ Please use the ‘submit_unseal_keys’ method on the ‘hvac.api.system_backend.seal’ class moving forward.

Docstring content from this method’s replacement copied below: Enter multiple master key share to progress the unsealing of the Vault.

Parameters
  • keys (List[str]) – List of master key shares.

  • migrate – Available in 1.0 Beta - Used to migrate the seal from shamir to autoseal or autoseal to shamir. Must be provided on all unseal key calls.

Type

migrate: bool

Returns

The JSON response of the last unseal request.

Return type

dict

unseal_reset()[source]
Call to deprecated function ‘unseal_reset’. This method will be removed in version ‘0.9.0’ Please use the ‘submit_unseal_key’ method on the ‘hvac.api.system_backend.seal’ class moving forward.

Docstring content from this method’s replacement copied below: Enter a single master key share to progress the unsealing of the Vault.

If the threshold number of master key shares is reached, Vault will attempt to unseal the Vault. Otherwise, this API must be called multiple times until that threshold is met.

Either the key or reset parameter must be provided; if both are provided, reset takes precedence.

Supported methods:

PUT: /sys/unseal. Produces: 200 application/json

Parameters
  • key (str | unicode) – Specifies a single master key share. This is required unless reset is true.

  • reset (bool) – Specifies if previously-provided unseal keys are discarded and the unseal process is reset.

  • migrate – Available in 1.0 Beta - Used to migrate the seal from shamir to autoseal or autoseal to shamir. Must be provided on all unseal key calls.

Type

migrate: bool

Returns

The JSON response of the request.

Return type

dict

unwrap(token=None)[source]
Call to deprecated function ‘unwrap’. This method will be removed in version ‘0.9.0’ Please use the ‘unwrap’ method on the ‘hvac.api.system_backend.wrapping’ class moving forward.

Docstring content from this method’s replacement copied below: Return the original response inside the given wrapping token.

Unlike simply reading cubbyhole/response (which is deprecated), this endpoint provides additional validation checks on the token, returns the original value on the wire rather than a JSON string representation of it, and ensures that the response is properly audit-logged.

Supported methods:

POST: /sys/wrapping/unwrap. Produces: 200 application/json

Parameters

token (str | unicode) – Specifies the wrapping token ID. This is required if the client token is not the wrapping token. Do not use the wrapping token in both locations.

Returns

The JSON response of the request.

Return type

dict

update_userpass_password(username, password, mount_point='userpass')[source]

POST /auth/<mount point>/users/<username>/password

Parameters
  • username

  • password

  • mount_point

Returns

Return type

update_userpass_policies(username, policies, mount_point='userpass')[source]

POST /auth/<mount point>/users/<username>/policies

Parameters
  • username

  • policies

  • mount_point

Returns

Return type

property url
static urljoin(*args, **kwargs)[source]
Call to deprecated function ‘urljoin’. This method will be removed in version ‘0.8.0’ Please use the ‘urljoin’ method on the ‘hvac.adapters’ class moving forward.

Docstring content from this method’s replacement copied below: Joins given arguments into a url. Trailing and leading slashes are stripped for each argument.

Parameters

args (str | unicode) – Multiple parts of a URL to be combined into one string.

Returns

Full URL combining all provided arguments

Return type

str | unicode

write(path, wrap_ttl=None, **kwargs)[source]

POST /<path>

Parameters
  • path

  • wrap_ttl

  • kwargs

Returns

Return type