Mount

Manipulate secret backends

backends = client.sys.list_mounted_secrets_engines()['data']

client.sys.enable_secrets_engine('aws', path='aws-us-east-1')
client.sys.disable_secrets_engine('mysql')

client.sys.tune_mount_configuration(path='test', default_lease_ttl='3600s', max_lease_ttl='8600s')
client.sys.read_mount_configuration(path='test')

client.sys.move_backend('aws-us-east-1', 'aws-east')

List Mounted Secrets Engines

Mount.list_mounted_secrets_engines()[source]

Lists all the mounted secrets engines.

Supported methods:
POST: /sys/mounts. Produces: 200 application/json
Returns:JSON response of the request.
Return type:dict

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

secrets_engines_list = client.sys.list_mounted_secrets_engines()['data']
print('The following secrets engines are mounted: %s' % ', '.join(sorted(secrets_engines_list.keys())))

Example output:

The following secrets engines are mounted: cubbyhole/, identity/, secret/, sys/

Enable Secrets Engine

Mount.enable_secrets_engine(backend_type, path=None, description=None, config=None, plugin_name=None, options=None, local=False, seal_wrap=False, **kwargs)[source]

Enable a new secrets engine at the given path.

Supported methods:
POST: /sys/mounts/{path}. Produces: 204 (empty body)
Parameters:
  • backend_type (str | unicode) – The name of the backend type, such as “github” or “token”.
  • path (str | unicode) – The path to mount the method on. If not provided, defaults to the value of the “method_type” argument.
  • description (str | unicode) – A human-friendly description of the mount.
  • config (dict) –

    Configuration options for this mount. These are the possible values:

    • default_lease_ttl: The default lease duration, specified as a string duration like “5s” or “30m”.
    • max_lease_ttl: The maximum lease duration, specified as a string duration like “5s” or “30m”.
    • force_no_cache: Disable caching.
    • plugin_name: The name of the plugin in the plugin catalog to use.
    • audit_non_hmac_request_keys: Comma-separated list of keys that will not be HMAC’d by audit devices in the request data object.
    • audit_non_hmac_response_keys: Comma-separated list of keys that will not be HMAC’d by audit devices in the response data object.
    • listing_visibility: Specifies whether to show this mount in the UI-specific listing endpoint. (“unauth” or “hidden”)
    • passthrough_request_headers: Comma-separated list of headers to whitelist and pass from the request to the backend.
  • options (dict) –

    Specifies mount type specific options that are passed to the backend.

    • version: <KV> The version of the KV to mount. Set to “2” for mount KV v2.
  • plugin_name (str | unicode) – Specifies the name of the plugin to use based from the name in the plugin catalog. Applies only to plugin backends.
  • local (bool) – <Vault enterprise only> Specifies if the auth method is a local only. Local auth methods are not replicated nor (if a secondary) removed by replication.
  • seal_wrap (bool) – <Vault enterprise only> Enable seal wrapping for the mount.
  • kwargs (dict) – All dicts are accepted and passed to vault. See your specific secret engine for details on which extra key-word arguments you might want to pass.
Returns:

The response of the request.

Return type:

requests.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

client.sys.enable_secrets_engine(
    backend_type='kv',
    path='hvac-kv',
)

Disable Secrets Engine

Mount.disable_secrets_engine(path)[source]

Disable the mount point specified by the provided path.

Supported methods:
DELETE: /sys/mounts/{path}. Produces: 204 (empty body)
Parameters:path (str | unicode) – Specifies the path where the secrets engine will be mounted. This is specified as part of the URL.
Returns:The response of the request.
Return type:requests.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

client.sys.disable_secrets_engine(
    path='hvac-kv',
)

Read Mount Configuration

Mount.read_mount_configuration(path)[source]

Read the given mount’s configuration.

Unlike the mounts endpoint, this will return the current time in seconds for each TTL, which may be the system default or a mount-specific value.

Supported methods:
GET: /sys/mounts/{path}/tune. Produces: 200 application/json
Parameters:path (str | unicode) – Specifies the path where the secrets engine will be mounted. This is specified as part of the URL.
Returns:The JSON response of the request.
Return type:requests.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

secret_backend_tuning = client.sys.read_mount_configuration(path='hvac-kv')
print('The max lease TTL for the "hvac-kv" backend is: {max_lease_ttl}'.format(
    max_lease_ttl=secret_backend_tuning['data']['max_lease_ttl'],
 ))

Example output:

The max lease TTL for the "hvac-kv" backend is: 2764800

Tune Mount Configuration

Mount.tune_mount_configuration(path, default_lease_ttl=None, max_lease_ttl=None, description=None, audit_non_hmac_request_keys=None, audit_non_hmac_response_keys=None, listing_visibility=None, passthrough_request_headers=None, options=None, force_no_cache=None, **kwargs)[source]

Tune configuration parameters for a given mount point.

Supported methods:
POST: /sys/mounts/{path}/tune. Produces: 204 (empty body)
Parameters:
  • path (str | unicode) – Specifies the path where the secrets engine will be mounted. This is specified as part of the URL.
  • mount_point (str) – The path the associated secret backend is mounted
  • description (str) – Specifies the description of the mount. This overrides the current stored value, if any.
  • default_lease_ttl (int) – Default time-to-live. This overrides the global default. A value of 0 is equivalent to the system default TTL
  • max_lease_ttl (int) – Maximum time-to-live. This overrides the global default. A value of 0 are equivalent and set to the system max TTL.
  • audit_non_hmac_request_keys (list) – Specifies the comma-separated list of keys that will not be HMAC’d by audit devices in the request data object.
  • audit_non_hmac_response_keys (list) – Specifies the comma-separated list of keys that will not be HMAC’d by audit devices in the response data object.
  • listing_visibility (str) – Speficies whether to show this mount in the UI-specific listing endpoint. Valid values are “unauth” or “”.
  • passthrough_request_headers (str) – Comma-separated list of headers to whitelist and pass from the request to the backend.
  • options (dict) –

    Specifies mount type specific options that are passed to the backend.

    • version: <KV> The version of the KV to mount. Set to “2” for mount KV v2.
  • force_no_cache (bool) – Disable caching.
  • kwargs (dict) – All dicts are accepted and passed to vault. See your specific secret engine for details on which extra key-word arguments you might want to pass.
Returns:

The response from the request.

Return type:

request.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

client.sys.tune_mount_configuration(
    path='hvac-kv',
    default_lease_ttl='3600s',
    max_lease_ttl='8600s',
)

Move Backend

Mount.move_backend(from_path, to_path)[source]

Move an already-mounted backend to a new mount point.

Supported methods:
POST: /sys/remount. Produces: 204 (empty body)
Parameters:
  • from_path (str | unicode) – Specifies the previous mount point.
  • to_path (str | unicode) – Specifies the new destination mount point.
Returns:

The response of the request.

Return type:

requests.Response

Examples

import hvac
client = hvac.Client(url='https://127.0.0.1:8200')

client.sys.move_backend(
    from_path='hvac-kv',
    to_path='kv-hvac',
)