GCP

Configure

Gcp.configure(credentials='', ttl=0, max_ttl=0, mount_point='gcp')[source]

Configure shared information for the Gcp secrets engine.

Supported methods:
POST: /{mount_point}/config. Produces: 204 (empty body)
Parameters:
  • credentials (str | unicode) – JSON credentials (either file contents or @path/to/file’) See docs for alternative ways to pass in to this parameter, as well as the required permissions.
  • ttl (int | str) – – Specifies default config TTL for long-lived credentials (i.e. service account keys). Accepts integer number of seconds or Go duration format string.
  • max_ttl (int | str) – Specifies the maximum config TTL for long-lived credentials (i.e. service account keys). Accepts integer number of seconds or Go duration format string.**
  • mount_point (str | unicode) – The “path” the method/backend was mounted on.
Returns:

The response of the request.

Return type:

requests.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')


credentials = test_utils.load_config_file('example.jwt.json')
configure_response = client.secrets.gcp.configure(
    credentials=credentials,
    max_ttl=3600,
)
print(configure_response)

Example output:

<Response [204]>

Read Config

Gcp.read_config(mount_point='gcp')[source]

Read the configured shared information for the Gcp secrets engine.

Credentials will be omitted from returned data.

Supported methods:
GET: /{mount_point}/config. Produces: 200 application/json
Parameters:mount_point (str | unicode) – The “path” the method/backend was mounted on.
Returns:The JSON response of the request.
Return type:dict

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

read_config_response = client.secrets.gcp.read_config()
print('Max TTL for GCP secrets engine set to: {max_ttl}'.format(max_ttl=read_config_response['data']['max_ttl']))

Example output:

Max TTL for GCP secrets engine set to: 3600

Create Or Update Roleset

Gcp.create_or_update_roleset(name, project, bindings, secret_type='access_token', token_scopes=None, mount_point='gcp')[source]

Create a roleset or update an existing roleset.

See roleset docs for the GCP secrets backend to learn more about what happens when you create or update a
roleset.
Supported methods:
POST: /{mount_point}/roleset/{name}. Produces: 204 (empty body)
Parameters:
  • name (str | unicode) – Name of the role. Cannot be updated.
  • project (str | unicode) – Name of the GCP project that this roleset’s service account will belong to. Cannot be updated.
  • bindings (str | unicode) – Bindings configuration string (expects HCL or JSON format in raw or base64-encoded string)
  • secret_type (str | unicode) – Cannot be updated.
  • token_scopes (list[str]) – List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only)
  • mount_point (str | unicode) – The “path” the method/backend was mounted on.
Returns:

The response of the request.

Return type:

requests.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')


bindings = """
    resource "//cloudresourcemanager.googleapis.com/project/some-gcp-project-id" {
      roles = [
        "roles/viewer"
      ],
    }
"""
token_scopes = [
    'https://www.googleapis.com/auth/cloud-platform',
    'https://www.googleapis.com/auth/bigquery',
]

roleset_response = client.secrets.gcp.create_or_update_roleset(
    name='hvac-doctest',
    project='some-gcp-project-id',
    bindings=bindings,
    token_scopes=token_scopes,
)

Rotate Roleset Account

Gcp.rotate_roleset_account(name, mount_point='gcp')[source]

Rotate the service account this roleset uses to generate secrets.

This also replaces the key access_token roleset. This can be used to invalidate old secrets generated by the
roleset or fix issues if a roleset’s service account (and/or keys) was changed outside of Vault (i.e. through GCP APIs/cloud console).
Supported methods:
POST: /{mount_point}/roleset/{name}/rotate. Produces: 204 (empty body)
Parameters:
  • name (str | unicode) – Name of the role.
  • mount_point (str | unicode) – The “path” the method/backend was mounted on.
Returns:

The response of the request.

Return type:

requests.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

rotate_response = client.secrets.gcp.rotate_roleset_account(name='hvac-doctest')

Rotate Roleset Account Key

Gcp.rotate_roleset_account_key(name, mount_point='gcp')[source]

Rotate the service account key this roleset uses to generate access tokens.

This does not recreate the roleset service account.

Supported methods:
POST: /{mount_point}/roleset/{name}/rotate-key. Produces: 204 (empty body)
Parameters:
  • name (str | unicode) – Name of the role.
  • mount_point (str | unicode) – The “path” the method/backend was mounted on.
Returns:

The response of the request.

Return type:

requests.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

rotate_response = client.secrets.gcp.rotate_roleset_account_key(name='hvac-doctest')

Read Roleset

Gcp.read_roleset(name, mount_point='gcp')[source]

Read a roleset.

Supported methods:
GET: /{mount_point}/roleset/{name}. Produces: 200 application/json
Parameters:
  • name (str | unicode) – Name of the role.
  • mount_point (str | unicode) – The “path” the method/backend was mounted on.
Returns:

The JSON response of the request.

Return type:

dict

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

read_response = client.secrets.gcp.read_roleset(name='hvac-doctest')

List Rolesets

Gcp.list_rolesets(mount_point='gcp')[source]

List configured rolesets.

Supported methods:
LIST: /{mount_point}/rolesets. Produces: 200 application/json
Parameters:mount_point (str | unicode) – The “path” the method/backend was mounted on.
Returns:The JSON response of the request.
Return type:dict

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

list_response = client.secrets.gcp.list_rolesets()

Delete Roleset

Gcp.delete_roleset(name, mount_point='gcp')[source]

Delete an existing roleset by the given name.

Supported methods:
DELETE: /{mount_point}/roleset/{name} Produces: 200 application/json
Parameters:
  • name (str | unicode) – Name of the role.
  • mount_point (str | unicode) – The “path” the method/backend was mounted on.
Returns:

The response of the request.

Return type:

requests.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

delete_response = client.secrets.gcp.delete_roleset(name='hvac-doctest')

Generate Oauth2 Access Token

Gcp.generate_oauth2_access_token(roleset, mount_point='gcp')[source]

Generate an OAuth2 token with the scopes defined on the roleset.

This OAuth access token can be used in GCP API calls, e.g. curl -H “Authorization: Bearer $TOKEN” …

Supported methods:
GET: /{mount_point}/token/{roleset}. Produces: 200 application/json
Parameters:
  • roleset (str | unicode) – Name of an roleset with secret type access_token to generate access_token under.
  • mount_point (str | unicode) – The “path” the method/backend was mounted on.
Returns:

The JSON response of the request.

Return type:

dict

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

token_response = client.secrets.gcp.generate_oauth2_access_token(roleset='hvac-doctest')

Generate Service Account Key

Gcp.generate_service_account_key(roleset, key_algorithm='KEY_ALG_RSA_2048', key_type='TYPE_GOOGLE_CREDENTIALS_FILE', method='POST', mount_point='gcp')[source]

Generate Secret (IAM Service Account Creds): Service Account Key

If using GET (‘read’), the optional parameters will be set to their defaults. Use POST if you want to specify
different values for these params.
Parameters:
  • roleset (str | unicode) – Name of an roleset with secret type service_account_key to generate key under.
  • key_algorithm (str | unicode) – Key algorithm used to generate key. Defaults to 2k RSA key You probably should not choose other values (i.e. 1k),
  • key_type (str | unicode) – Private key type to generate. Defaults to JSON credentials file.
  • method (str | unicode) – Supported methods: POST: /{mount_point}/key/{roleset}. Produces: 200 application/json GET: /{mount_point}/key/{roleset}. Produces: 200 application/json
  • mount_point (str | unicode) – The “path” the method/backend was mounted on.
Returns:

The JSON response of the request.

Return type:

dict

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

key_response = client.secrets.gcp.generate_service_account_key(roleset='hvac-doctest')