:lock: Python 3.X client for HashiCorp Vault
hvac, updated
🕥
2023-03-18 21:16:15
hvac
HashiCorp Vault API client for Python 3.x
Tested against the latest release, HEAD ref, and 3 previous minor versions (counting back from the latest release) of Vault. Current official support covers Vault v1.4.7 or later.
NOTE: Support for EOL Python versions will be dropped at the end of 2022. Starting in 2023, hvac will track with the CPython EOL dates.
Installation
console
pip install hvac
If you would like to be able to return parsed HCL data as a Python dict for methods that support it:
console
pip install "hvac[parser]"
Documentation
Additional documentation for this module available at: hvac.readthedocs.io:
Issues
revoke_lease not working
opened on 2023-03-15 06:01:31 by shaneseatonMy script is logging in with an approle, and using those credentials to call GCP (vault_client.secrets.gcp.generate_service_account_key). After doing some work with the GCP account I wanted to release the keys, so I was trying revoke_lease, but kept getting permission denied.
If I logged in to the CLI with the same approle, I am able to revoke the lease without a problems. Then when looking at the revoke_lease code, and comparing it to the output of
```
vault lease revoke -output-curl-string
curl -X PUT -H "X-Vault-Request: true" -H "X-Vault-Token: $(vault print token)" -d '{"sync":false}' https://my.vault.com/v1/sys/leases/revoke/ ``` I can see the urls are built very differently, and then comparing that again to what the API doco says (https://developer.hashicorp.com/vault/api-docs/system/leases#revoke-lease) is different again, as the API doco say to use a POST method, not PUT.
I am not sure what to make of all it, perhaps its version compatibilities (we are using Vault 1.12.3)??? but I was able to write this little function that did the job. Note I am still using PUT
def my_revoke_lease(client, lease_id, sync=False):
params = {
# "lease_id": lease_id,
"sync": sync
}
api_path = f"/v1/sys/leases/revoke/{lease_id}"
return client._adapter.put(
url=api_path,
json=params,
)
Is anyone able to work out is going on here?
[question]How to check if the create_or_update_secret method succeed?
opened on 2023-03-10 15:56:51 by MarkRushBlink: https://hvac.readthedocs.io/en/stable/source/hvac_api_secrets_engines.html#hvac.api.secrets_engines.KvV2.create_or_update_secret
From the doc I cannot get more detailed info, I found there is no status_code returned by create_or_update_secret method, and I am wondering if this method failed, what would be response like?
Feature: Add VAULT_SKIP_VERIFY environment variable
opened on 2023-03-09 13:24:50 by fe80Hello,
Actually the environment variable VAULT_SKIP_VERIFY is not supported by the library:
```python Python 3.10.9 (main, Dec 19 2022, 17:35:49) [GCC 12.2.0] on linux Type "help", "copyright", "credits" or "license" for more information.
import os os.getenv("VAULT_SKIP_VERIFY") 'true' import hvac hvac.Client().is_authenticated() Traceback (most recent call last): File "/home/steffy/.pip/lib/python3.10/site-packages/urllib3/connectionpool.py", line 703, in urlopen httplib_response = self.make_request( File "/home/steffy/.pip/lib/python3.10/site-packages/urllib3/connectionpool.py", line 386, in _make_request self._validate_conn(conn) File "/home/steffy/.pip/lib/python3.10/site-packages/urllib3/connectionpool.py", line 1042, in _validate_conn conn.connect() File "/home/steffy/.pip/lib/python3.10/site-packages/urllib3/connection.py", line 414, in connect self.sock = ssl_wrap_socket( File "/home/steffy/.pip/lib/python3.10/site-packages/urllib3/util/ssl.py", line 453, in ssl_wrap_socket ssl_sock = ssl_wrap_socket_impl(sock, context, tls_in_tls) File "/home/steffy/.pip/lib/python3.10/site-packages/urllib3/util/ssl.py", line 495, in _ssl_wrap_socket_impl return ssl_context.wrap_socket(sock) File "/usr/lib/python3.10/ssl.py", line 513, in wrap_socket return self.sslsocket_class._create( File "/usr/lib/python3.10/ssl.py", line 1071, in _create self.do_handshake() File "/usr/lib/python3.10/ssl.py", line 1342, in do_handshake self._sslobj.do_handshake() ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/home/steffy/.pip/lib/python3.10/site-packages/requests/adapters.py", line 489, in send resp = conn.urlopen( File "/home/steffy/.pip/lib/python3.10/site-packages/urllib3/connectionpool.py", line 787, in urlopen retries = retries.increment( File "/home/steffy/.pip/lib/python3.10/site-packages/urllib3/util/retry.py", line 592, in increment raise MaxRetryError(_pool, url, error or ResponseError(cause)) urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='127.0.0.1', port=8200): Max retries exceeded with url: /v1/auth/token/lookup-self (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)')))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "
```
This feature add the support of this one
```python ╰─➤ python Python 3.10.9 (main, Dec 19 2022, 17:35:49) [GCC 12.2.0] on linux Type "help", "copyright", "credits" or "license" for more information.
import os os.getenv("VAULT_SKIP_VERIFY") 'true' import hvac hvac.Client().is_authenticated() /home/steffy/.pip/lib/python3.10/site-packages/urllib3/connectionpool.py:1045: InsecureRequestWarning: Unverified HTTPS request is being made to host '127.0.0.1'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings warnings.warn( True ```
Sorry I've open and close a bad request before (#959)
Regards,
Provide a way to opt-out of implicit token loading
opened on 2023-03-08 18:50:24 by briantistWhen a Vault client is created with a token, it will try to find a token via the VAULT_TOKEN environment variable or the token sink file, much like the Vault CLI.
This can cause unexpected results: - https://github.com/ansible-collections/community.hashi_vault/issues/13#issuecomment-740192580 - https://github.com/hvac/hvac/issues/937
This can be worked around by performing a .logout() call from the client after it's created.
We should at a minimum provide a more explicit way to opt out of this behavior on Client creation.
I might go so far as to say we should consider changing the default behavior in a future version, and make this opt-in.
hvac package is still redirecting to the v1 version
opened on 2023-03-07 12:31:54 by surajtikooHi Team, I am using the hvac package with my python code to read the secrets however the secrets are placed under the v2 version. I am using the 1.1.0 version for hvac. When i am truing to read the secrets the system is redirecting to the V1 irrespective of giving the V2 path.
path = 'kv-test/test'
response = client.secrets.kv.v2.read_secret(path=path)
The system is giving the error "errorMessage": "1 error occurred:\n\t* permission denied\n\n, on get https://xxxxxxxx/v1/secret/data/kv-test/test",
The call is still going to the V1 version which is a bit strange to me.
Add static account support to GCP secrets engine
opened on 2023-03-06 08:17:51 by mweigelHi all, I've started working on implementing static account functionality in the GCP secrets engine. I've also added the ability to rotate the root service account credentials. It seems to be working well so far and it'd be great to know if I'm on the right track and get some feedback before I go any further, thanks :)
TODO:
- Access token and service account key generation functions for static accounts
- More tests
Releases
v1.1.0 2023-03-06 14:03:12
📢 Deprecations / Announcements
v3.0.0- Thecertificateparameter forcreate_ca_certificate_rolewill stop accepting file paths (GH-914)- Please note that
hvacintends to drop support for EoL Python versions (GH-877) v3.0.0- The default value ofraise_on_deleted_versionwill change fromTruetoFalse(GH-955)- Allow for reading deleted secret versions (kv2) without an exception (GH-907)
🚀 Features
- Allow for reading deleted secret versions (kv2) without an exception (GH-907)
- AWS secret engine - fix
generate_credentialsfor STS endpoint (GH-934) - Add support for custom metadata in kv2 engine (GH-805)
- Add new field
auto_rotate_periodon transit key management (GH-903)
🐛 Bug Fixes
- Allow for reading deleted secret versions (kv2) without an exception (GH-907)
- fix vault client certificates loaded from envirnoment variables (GH-943)
- approle - fix metadata for generated secret IDs, re-add
wrap_ttl(GH-782) - AWS secret engine - fix
generate_credentialsfor STS endpoint (GH-934) - Propagate client's adapter to API categories (GH-939)
- don't cache on py3.6 windows combo (GH-916)
- Cert: Fix role certificate parameter (GH-886)
📚 Documentation
- add documentation for retries (GH-948)
- docs - sphinx - fail on warnings (GH-949)
- Create userpass.rst (GH-775)
- doc: update reference to removed method (GH-942)
- Documentation updates for use with a private CA (GH-774)
- Update Azure guideline with proper client variable (GH-935)
- Update wrapping.rst - example for unauthenticated unwrap (GH-789)
- Fix typo in the AWS auth method docs (GH-911)
- Replace Azure docs occurence to Kubernetes (GH-904)
🧰 Miscellaneous
- Remove deprecated python syntax (GH-909)
Thanks to @BrandonHoffman, @Prividen, @WilkenSteiner, @aberenshtein, @adammike, @bendem, @briantist, @colin-pm, @dereckson, @dhuckins, @gmsantos, @jackcasey-visier, @localden, @nneul, @rhowe and @sebglon for their lovely contributions.
v1.0.2 2022-09-19 01:06:33
- Update dependencies. GH-897
v1.0.1 2022-09-18 16:54:07
🐛 Bug Fixes
- Add
role_nameparameter toauth.token.create_orphan. GH-891 - docs: Add RTD config. GH-894
📚 Documentation
- docs: Add RTD config. GH-894
v1.0.0 2022-09-16 01:37:51
- Update changelog for 1.0.0 release. GH-890
- CI: Update Vault versions for integration tests. GH-884
- Tests: Handle 204 response in jwt test. GH-881
- Tests: Fix kubernetes integration test. GH-880
- Tests: Fix broken oidc test. GH-879
- Tests: Fix Azure test failure. GH-878
- Tests: Handle different response due to upstream change. GH-876
- Tests: Fix Github auth tests. GH-875
- Test utils: Fix OTP length for Vault >=1.10.0. GH-872
- Test utils: Migrate to packaging module's Version. GH-871
- Integration Tests: Fix GCP test error. GH-870
- build-test: Fix windows job. GH-845
- build-test: Add test. GH-844
- Bump version: 0.11.2 → 1.0.0. GH-829
💥 Breaking Changes
- Legacy MFA: Move mfa authentication method to legacy MFA method. GH-883
- Remove deprecated methods. GH-868
- Remove redundant code for Python <= 3.5. GH-822
- Drop Python 2 and EOL Python 3 versions. GH-819
🚀 Features
- Token: Add create orphaned token method. GH-869
- Allow configuring the possible salt lengths for RSA PSS signatures. GH-846
- ssh: Add secret engine. GH-811
🐛 Bug Fixes
- setup.py: Add encoding for long_description. GH-843
- Don't override user warning filters. GH-818
📚 Documentation
- Migrate to Poetry. GH-854
- docs(auth-methods): update kubernetes. GH-837
- README: Remove help wanted note. GH-848
- Update kubernetes authentication example. GH-827
🧰 Miscellaneous
- .gitignore: Add vscode config directory. GH-867
- Add stock version-resolver cfg for release-drafter. GH-836
- Release drafter tweaks. GH-835
- Add commitish to release-drafter.yml. GH-832
- Bump dependencies. GH-826
- Readding 3.6 support. GH-823
- Add support for Python 3.10. GH-821
- Fix CI. GH-812
v0.11.2 2021-09-23 17:46:20
Breakfix release to revert some unintended post-1.0 requirements changes.
🐛 Bug Fixes
- Revert
six&requestsRequirements Changes . GH-768
v0.11.1 2021-09-22 16:45:44
💥 Breaking Changes
- Note: This is actually and truly (😝) intended to by the last hvac release supporting Python 2.7.
Starting with hvac version 1.0.0, Python versions >=3.6 will be the only explictly supported versions.
- Requirements - Cleanup & Upgrades (install_requires => requests>=2.25.1 ). GH-741
🚀 Features
- Add X-Vault-Request header to all requests by default. GH-762
- Add token_type to kubernetes auth create_role. GH-760
- jwt: use login adapter and add
use_tokenparam. GH-746
🐛 Bug Fixes
- Fix Passing of
certParameter From Client into Adapter Class. GH-743 - Removed vestigial accessor parameter from auth token revoke_self. GH-744
- Fix Client TLS
verifyBehavior . GH-745 - Fix incorrect recovery key backup path. GH-749
Thanks to @Tylerlhess, @anhdat, @ayav09, @bobmshannon, @bpatterson971, @briantist, @cmanfre4, @jeffwecan, Chris Manfre and tyhess for their lovely contributions..
python vault hashicorp client api hacktoberfest