GCP¶
Configure¶
-
Gcp.
configure
(credentials='', ttl=0, max_ttl=0, mount_point='gcp')[source] Configure shared information for the Gcp secrets engine.
- Supported methods:
- POST: /{mount_point}/config. Produces: 204 (empty body)
Parameters: - credentials (str | unicode) – JSON credentials (either file contents or ‘@path/to/file’) See docs for alternative ways to pass in to this parameter, as well as the required permissions.
- ttl (int | str) – – Specifies default config TTL for long-lived credentials (i.e. service account keys). Accepts integer number of seconds or Go duration format string.
- max_ttl (int | str) – Specifies the maximum config TTL for long-lived credentials (i.e. service account keys). Accepts integer number of seconds or Go duration format string.**
- mount_point (str | unicode) – The “path” the method/backend was mounted on.
Returns: The response of the request.
Return type: requests.Response
Examples¶
import hvac
client = hvac.Client(url='https://127.0.0.1:8200')
credentials = test_utils.load_config_file('example.jwt.json')
configure_response = client.secrets.gcp.configure(
credentials=credentials,
max_ttl=3600,
)
print(configure_response)
Example output:
<Response [204]>
Read Config¶
-
Gcp.
read_config
(mount_point='gcp')[source] Read the configured shared information for the Gcp secrets engine.
Credentials will be omitted from returned data.
- Supported methods:
- GET: /{mount_point}/config. Produces: 200 application/json
Parameters: mount_point (str | unicode) – The “path” the method/backend was mounted on. Returns: The JSON response of the request. Return type: dict
Examples¶
import hvac
client = hvac.Client(url='https://127.0.0.1:8200')
read_config_response = client.secrets.gcp.read_config()
print('Max TTL for GCP secrets engine set to: {max_ttl}'.format(max_ttl=read_config_response['data']['max_ttl']))
Example output:
Max TTL for GCP secrets engine set to: 3600
Create Or Update Roleset¶
-
Gcp.
create_or_update_roleset
(name, project, bindings, secret_type='access_token', token_scopes=None, mount_point='gcp')[source] Create a roleset or update an existing roleset.
- See roleset docs for the GCP secrets backend to learn more about what happens when you create or update a
- roleset.
- Supported methods:
- POST: /{mount_point}/roleset/{name}. Produces: 204 (empty body)
Parameters: - name (str | unicode) – Name of the role. Cannot be updated.
- project (str | unicode) – Name of the GCP project that this roleset’s service account will belong to. Cannot be updated.
- bindings (str | unicode) – Bindings configuration string (expects HCL or JSON format in raw or base64-encoded string)
- secret_type (str | unicode) – Cannot be updated.
- token_scopes (list[str]) – List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only)
- mount_point (str | unicode) – The “path” the method/backend was mounted on.
Returns: The response of the request.
Return type: requests.Response
Examples¶
import hvac
client = hvac.Client(url='https://127.0.0.1:8200')
bindings = """
resource "//cloudresourcemanager.googleapis.com/project/some-gcp-project-id" {
roles = [
"roles/viewer"
],
}
"""
token_scopes = [
'https://www.googleapis.com/auth/cloud-platform',
'https://www.googleapis.com/auth/bigquery',
]
roleset_response = client.secrets.gcp.create_or_update_roleset(
name='hvac-doctest',
project='some-gcp-project-id',
bindings=bindings,
token_scopes=token_scopes,
)
Rotate Roleset Account¶
-
Gcp.
rotate_roleset_account
(name, mount_point='gcp')[source] Rotate the service account this roleset uses to generate secrets.
- This also replaces the key access_token roleset. This can be used to invalidate old secrets generated by the
- roleset or fix issues if a roleset’s service account (and/or keys) was changed outside of Vault (i.e. through GCP APIs/cloud console).
- Supported methods:
- POST: /{mount_point}/roleset/{name}/rotate. Produces: 204 (empty body)
Parameters: - name (str | unicode) – Name of the role.
- mount_point (str | unicode) – The “path” the method/backend was mounted on.
Returns: The response of the request.
Return type: requests.Response
Examples¶
import hvac
client = hvac.Client(url='https://127.0.0.1:8200')
rotate_response = client.secrets.gcp.rotate_roleset_account(name='hvac-doctest')
Rotate Roleset Account Key¶
-
Gcp.
rotate_roleset_account_key
(name, mount_point='gcp')[source] Rotate the service account key this roleset uses to generate access tokens.
This does not recreate the roleset service account.
- Supported methods:
- POST: /{mount_point}/roleset/{name}/rotate-key. Produces: 204 (empty body)
Parameters: - name (str | unicode) – Name of the role.
- mount_point (str | unicode) – The “path” the method/backend was mounted on.
Returns: The response of the request.
Return type: requests.Response
Examples¶
import hvac
client = hvac.Client(url='https://127.0.0.1:8200')
rotate_response = client.secrets.gcp.rotate_roleset_account_key(name='hvac-doctest')
Read Roleset¶
-
Gcp.
read_roleset
(name, mount_point='gcp')[source] Read a roleset.
- Supported methods:
- GET: /{mount_point}/roleset/{name}. Produces: 200 application/json
Parameters: - name (str | unicode) – Name of the role.
- mount_point (str | unicode) – The “path” the method/backend was mounted on.
Returns: The JSON response of the request.
Return type: dict
Examples¶
import hvac
client = hvac.Client(url='https://127.0.0.1:8200')
read_response = client.secrets.gcp.read_roleset(name='hvac-doctest')
List Rolesets¶
-
Gcp.
list_rolesets
(mount_point='gcp')[source] List configured rolesets.
- Supported methods:
- LIST: /{mount_point}/rolesets. Produces: 200 application/json
Parameters: mount_point (str | unicode) – The “path” the method/backend was mounted on. Returns: The JSON response of the request. Return type: dict
Examples¶
import hvac
client = hvac.Client(url='https://127.0.0.1:8200')
list_response = client.secrets.gcp.list_rolesets()
Delete Roleset¶
-
Gcp.
delete_roleset
(name, mount_point='gcp')[source] Delete an existing roleset by the given name.
- Supported methods:
- DELETE: /{mount_point}/roleset/{name} Produces: 200 application/json
Parameters: - name (str | unicode) – Name of the role.
- mount_point (str | unicode) – The “path” the method/backend was mounted on.
Returns: The response of the request.
Return type: requests.Response
Examples¶
import hvac
client = hvac.Client(url='https://127.0.0.1:8200')
delete_response = client.secrets.gcp.delete_roleset(name='hvac-doctest')
Generate Oauth2 Access Token¶
-
Gcp.
generate_oauth2_access_token
(roleset, mount_point='gcp')[source] Generate an OAuth2 token with the scopes defined on the roleset.
This OAuth access token can be used in GCP API calls, e.g. curl -H “Authorization: Bearer $TOKEN” …
- Supported methods:
- GET: /{mount_point}/token/{roleset}. Produces: 200 application/json
Parameters: - roleset (str | unicode) – Name of an roleset with secret type access_token to generate access_token under.
- mount_point (str | unicode) – The “path” the method/backend was mounted on.
Returns: The JSON response of the request.
Return type: dict
Examples¶
import hvac
client = hvac.Client(url='https://127.0.0.1:8200')
token_response = client.secrets.gcp.generate_oauth2_access_token(roleset='hvac-doctest')
Generate Service Account Key¶
-
Gcp.
generate_service_account_key
(roleset, key_algorithm='KEY_ALG_RSA_2048', key_type='TYPE_GOOGLE_CREDENTIALS_FILE', method='POST', mount_point='gcp')[source] Generate Secret (IAM Service Account Creds): Service Account Key
- If using GET (‘read’), the optional parameters will be set to their defaults. Use POST if you want to specify
- different values for these params.
Parameters: - roleset (str | unicode) – Name of an roleset with secret type service_account_key to generate key under.
- key_algorithm (str | unicode) – Key algorithm used to generate key. Defaults to 2k RSA key You probably should not choose other values (i.e. 1k),
- key_type (str | unicode) – Private key type to generate. Defaults to JSON credentials file.
- method (str | unicode) – Supported methods: POST: /{mount_point}/key/{roleset}. Produces: 200 application/json GET: /{mount_point}/key/{roleset}. Produces: 200 application/json
- mount_point (str | unicode) – The “path” the method/backend was mounted on.
Returns: The JSON response of the request.
Return type: dict
Examples¶
import hvac
client = hvac.Client(url='https://127.0.0.1:8200')
key_response = client.secrets.gcp.generate_service_account_key(roleset='hvac-doctest')