JWT/OIDCΒΆ

Note

The hvac.api.auth_methods.JWT and hvac.api.auth_methods.OIDC share all the same methods. They only differ in the default path their methods will use. I.e., v1/auth/jwt versus v1/auth/oidc.

EnablingΒΆ

import hvac
client = hvac.Client()

# For JWT
client.sys.enable_auth_method(
    method_type='jwt',
)

# For OIDC
client.sys.enable_auth_method(
    method_type='oidc',
)

ConfigureΒΆ

hvac.api.auth_methods.JWT.configure()

import hvac
client = hvac.Client()

client.auth.jwt.configure(
    oidc_discovery_url=oidc_discovery_url,
    oidc_discovery_ca_pem=some_ca_file_contents,
)

# or

client.auth.oidc.configure(
    oidc_discovery_url=oidc_discovery_url,
    oidc_discovery_ca_pem=some_ca_file_contents,
)

Read ConfigΒΆ

hvac.api.auth_methods.JWT.read_config()

import hvac
client = hvac.Client()

read_response = client.auth.jwt.read_config()
# or
read_response = client.auth.oidc.read_config()

discovery_url = read_response['data']['oidc_discovery_url']
print('Current OIDC discovery URL is set to: %s' % discovery_url)

Create RoleΒΆ

hvac.api.auth_methods.JWT.create_role()

import hvac
client = hvac.Client()

role_name = 'hvac'
allowed_redirect_uris = ['https://localhost:8200/jwt-test/callback']
user_claim = 'https://vault/user'

# JWT
client.auth.jwt.create_role(
    name=role_name,
    role_type='jwt',
    allowed_redirect_uris=allowed_redirect_uris,
    user_claim='sub',
    bound_audiences=['12345'],
)

# OIDC
client.auth.oidc.create_role(
    name=role_name,
    allowed_redirect_uris=allowed_redirect_uris,
    user_claim=user_claim,
)

Read RoleΒΆ

hvac.api.auth_methods.JWT.read_role()

import hvac
client = hvac.Client()

response = client.auth.jwt.read_role(
    name='hvac',
)
print('hvac role has a user_claim setting of: %s' % response['data']['user_claim'])

List RolesΒΆ

hvac.api.auth_methods.JWT.list_roles()

import hvac
client = hvac.Client()

list_resp = client.auth.jwt.list_roles()
print('Configured roles: %s' % ', '.join(list_resp['data']['keys']))

Delete RoleΒΆ

hvac.api.auth_methods.JWT.delete_role()

import hvac
client = hvac.Client()

client.auth.jwt.delete_role(
    name='hvac',
)

JWT LoginΒΆ

hvac.api.auth_methods.JWT.jwt_login()

import hvac
client = hvac.Client()

response = client.auth.jwt.jwt_login(
    role=role_name,
    jwt=generate_token_response['data']['token'],
)
print('Client token returned: %s' % response['auth']['client_token'])