AWSΒΆ

Configure Root IAM CredentialsΒΆ

Source reference: hvac.api.secrets_engines.Aws.configure_root_iam_credentials()

import os

import hvac
client = hvac.Client()

client.secrets.aws.configure_root_iam_credentials(
    access_key=os.getenv('AWS_ACCESS_KEY_ID'),
    secret_key=os.getenv('AWS_SECRET_ACCESS_KEY'),
)

Rotate Root IAM CredentialsΒΆ

Source reference: hvac.api.secrets_engines.Aws.rotate_root_iam_credentials()

import hvac
client = hvac.Client()

client.secrets.aws.rotate_root_iam_credentials()

Configure LeaseΒΆ

Source reference: hvac.api.secrets_engines.Aws.configure_lease()

import hvac
client = hvac.Client()

# Set the default least TTL to 300 seconds / 5 minutes
client.secrets.aws.configure_lease(
    lease='300s',
)

Read LeaseΒΆ

Source reference: hvac.api.secrets_engines.Aws.read_lease()

import hvac
client = hvac.Client()

read_lease_response = client.secrets.aws.read_lease()
print('The current "lease_max" TTL is: {lease_max}'.format(
    lease_max=read_lease_response['data']['lease_max'],
))

Create or Update RoleΒΆ

Source reference: hvac.api.secrets_engines.Aws.create_or_update_role()

import hvac
client = hvac.Client()

describe_ec2_policy_doc = {
    'Version': '2012-10-17',
    'Statement': [
        {
            'Resource': '*'
            'Action': 'ec2:Describe*',
            'Effect': 'Allow',
        },
    ],
}
client.secrets.aws.create_or_update_role(
    name='hvac-role',
    credential_type='assumed_role',
    policy_document=describe_ec2_policy_doc,
    policy_arns=['arn:aws:iam::aws:policy/AmazonVPCReadOnlyAccess'],
)

Legacy ParametersΒΆ

Note

In previous versions of Vault (before version 0.11.0), this API route only supports the policy_document and policy_arns parameters (which hvac will translate to policy and arn parameters respectively in the request sent to Vault). If running these versions of Vault, the legacy_params parameter on this method can be set to True.

For older versions of Vault (any version before 0.11.0):

import hvac
client = hvac.Client()

describe_ec2_policy_doc = {
    'Version': '2012-10-17',
    'Statement': [
        {
            'Resource': '*'
            'Action': 'ec2:Describe*',
            'Effect': 'Allow',
        },
    ],
}

# Note: with the legacy params, the `policy_arns` parameter is translated to `arn`
# in the request sent to Vault and only one ARN is accepted. If a list is provided,
# hvac will only use the first ARN in the list.
client.secrets.aws.create_or_update_role(
    name='hvac-role',
    credential_type='assumed_role',
    policy_document=describe_ec2_policy_doc,
    policy_arns='arn:aws:iam::aws:policy/AmazonVPCReadOnlyAccess',
    legacy_params=True,
)

Read RoleΒΆ

Source reference: hvac.api.secrets_engines.Aws.read_role()

import hvac
client = hvac.Client()

read_role_response = client.secrets.aws.read_role(
    name='hvac-role',
)
print('The credential type for role "hvac-role" is: {cred_type}'.format(
    cred_type=read_role_response['data']['credential_types'],
))

List RolesΒΆ

Source reference: hvac.api.secrets_engines.Aws.list_roles()

import hvac
client = hvac.Client()

list_roles_response = client.secrets.aws.list_roles()
print('AWS secrets engine role listing: {roles}'.format(
    roles=', '.join(list_roles_response['data']['keys'])
))

Delete RoleΒΆ

Source reference: hvac.api.secrets_engines.Aws.delete_role()

import hvac
client = hvac.Client()

client.secrets.aws.delete_role(
    name='hvac-role',
)

Generate CredentialsΒΆ

Source reference: hvac.api.secrets_engines.Aws.generate_credentials()

import hvac
client = hvac.Client()

gen_creds_response = client.secrets.aws.generate_credentials(
    name='hvac-role',
)
print('Generated access / secret keys: {access} / {secret}'.format(
    access=gen_creds_response['data']['access_key'],
    secret=gen_creds_response['data']['secret_key'],
))