MountΒΆ

Manipulate secret backendsΒΆ

backends = client.sys.list_mounted_secrets_engines()['data']

client.sys.enable_secrets_engine('aws', path='aws-us-east-1')
client.sys.disable_secrets_engine('mysql')

client.sys.tune_mount_configuration(path='test', default_lease_ttl='3600s', max_lease_ttl='8600s')
client.sys.read_mount_configuration(path='test')

client.sys.move_backend('aws-us-east-1', 'aws-east')

List Mounted Secrets EnginesΒΆ

Mount.list_mounted_secrets_engines()[source]

Lists all the mounted secrets engines.

Supported methods:

POST: /sys/mounts. Produces: 200 application/json

Returns

JSON response of the request.

Return type

dict

ExamplesΒΆ

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

secrets_engines_list = client.sys.list_mounted_secrets_engines()['data']
print('The following secrets engines are mounted: %s' % ', '.join(sorted(secrets_engines_list.keys())))

Example output:

The following secrets engines are mounted: cubbyhole/, identity/, secret/, sys/

Enable Secrets EngineΒΆ

Mount.enable_secrets_engine(backend_type, path=None, description=None, config=None, plugin_name=None, options=None, local=False, seal_wrap=False, **kwargs)[source]

Enable a new secrets engine at the given path.

Supported methods:

POST: /sys/mounts/{path}. Produces: 204 (empty body)

Parameters
  • backend_type (str | unicode) – The name of the backend type, such as β€œgithub” or β€œtoken”.

  • path (str | unicode) – The path to mount the method on. If not provided, defaults to the value of the β€œbackend_type” argument.

  • description (str | unicode) – A human-friendly description of the mount.

  • config (dict) –

    Configuration options for this mount. These are the possible values:

    • default_lease_ttl: The default lease duration, specified as a string duration like β€œ5s” or β€œ30m”.

    • max_lease_ttl: The maximum lease duration, specified as a string duration like β€œ5s” or β€œ30m”.

    • force_no_cache: Disable caching.

    • plugin_name: The name of the plugin in the plugin catalog to use.

    • audit_non_hmac_request_keys: Comma-separated list of keys that will not be HMAC’d by audit devices in the request data object.

    • audit_non_hmac_response_keys: Comma-separated list of keys that will not be HMAC’d by audit devices in the response data object.

    • listing_visibility: Specifies whether to show this mount in the UI-specific listing endpoint. (β€œunauth” or β€œhidden”)

    • passthrough_request_headers: Comma-separated list of headers to whitelist and pass from the request to the backend.

  • options (dict) –

    Specifies mount type specific options that are passed to the backend.

    • version: <KV> The version of the KV to mount. Set to β€œ2” for mount KV v2.

  • plugin_name (str | unicode) – Specifies the name of the plugin to use based from the name in the plugin catalog. Applies only to plugin backends.

  • local (bool) – <Vault enterprise only> Specifies if the auth method is a local only. Local auth methods are not replicated nor (if a secondary) removed by replication.

  • seal_wrap (bool) – <Vault enterprise only> Enable seal wrapping for the mount.

  • kwargs (dict) – All dicts are accepted and passed to vault. See your specific secret engine for details on which extra key-word arguments you might want to pass.

Returns

The response of the request.

Return type

requests.Response

ExamplesΒΆ

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

client.sys.enable_secrets_engine(
    backend_type='kv',
    path='hvac-kv',
)

Disable Secrets EngineΒΆ

Mount.disable_secrets_engine(path)[source]

Disable the mount point specified by the provided path.

Supported methods:

DELETE: /sys/mounts/{path}. Produces: 204 (empty body)

Parameters

path (str | unicode) – Specifies the path where the secrets engine will be mounted. This is specified as part of the URL.

Returns

The response of the request.

Return type

requests.Response

ExamplesΒΆ

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

client.sys.disable_secrets_engine(
    path='hvac-kv',
)

Read Mount ConfigurationΒΆ

Mount.read_mount_configuration(path)[source]

Read the given mount’s configuration.

Unlike the mounts endpoint, this will return the current time in seconds for each TTL, which may be the system default or a mount-specific value.

Supported methods:

GET: /sys/mounts/{path}/tune. Produces: 200 application/json

Parameters

path (str | unicode) – Specifies the path where the secrets engine will be mounted. This is specified as part of the URL.

Returns

The JSON response of the request.

Return type

requests.Response

ExamplesΒΆ

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

secret_backend_tuning = client.sys.read_mount_configuration(path='hvac-kv')
print('The max lease TTL for the "hvac-kv" backend is: {max_lease_ttl}'.format(
    max_lease_ttl=secret_backend_tuning['data']['max_lease_ttl'],
 ))

Example output:

The max lease TTL for the "hvac-kv" backend is: 2764800

Tune Mount ConfigurationΒΆ

Mount.tune_mount_configuration(path, default_lease_ttl=None, max_lease_ttl=None, description=None, audit_non_hmac_request_keys=None, audit_non_hmac_response_keys=None, listing_visibility=None, passthrough_request_headers=None, options=None, force_no_cache=None, **kwargs)[source]

Tune configuration parameters for a given mount point.

Supported methods:

POST: /sys/mounts/{path}/tune. Produces: 204 (empty body)

Parameters
  • path (str | unicode) – Specifies the path where the secrets engine will be mounted. This is specified as part of the URL.

  • mount_point (str) – The path the associated secret backend is mounted

  • description (str) – Specifies the description of the mount. This overrides the current stored value, if any.

  • default_lease_ttl (int) – Default time-to-live. This overrides the global default. A value of 0 is equivalent to the system default TTL

  • max_lease_ttl (int) – Maximum time-to-live. This overrides the global default. A value of 0 are equivalent and set to the system max TTL.

  • audit_non_hmac_request_keys (list) – Specifies the comma-separated list of keys that will not be HMAC’d by audit devices in the request data object.

  • audit_non_hmac_response_keys (list) – Specifies the comma-separated list of keys that will not be HMAC’d by audit devices in the response data object.

  • listing_visibility (str) – Speficies whether to show this mount in the UI-specific listing endpoint. Valid values are β€œunauth” or β€œβ€.

  • passthrough_request_headers (str) – Comma-separated list of headers to whitelist and pass from the request to the backend.

  • options (dict) –

    Specifies mount type specific options that are passed to the backend.

    • version: <KV> The version of the KV to mount. Set to β€œ2” for mount KV v2.

  • force_no_cache (bool) – Disable caching.

  • kwargs (dict) – All dicts are accepted and passed to vault. See your specific secret engine for details on which extra key-word arguments you might want to pass.

Returns

The response from the request.

Return type

request.Response

ExamplesΒΆ

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

client.sys.tune_mount_configuration(
    path='hvac-kv',
    default_lease_ttl='3600s',
    max_lease_ttl='8600s',
)

Move BackendΒΆ

Mount.move_backend(from_path, to_path)[source]

Move an already-mounted backend to a new mount point.

Supported methods:

POST: /sys/remount. Produces: 204 (empty body)

Parameters
  • from_path (str | unicode) – Specifies the previous mount point.

  • to_path (str | unicode) – Specifies the new destination mount point.

Returns

The response of the request.

Return type

requests.Response

ExamplesΒΆ

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

client.sys.move_backend(
    from_path='hvac-kv',
    to_path='kv-hvac',
)