`extras.vault` — Hashicorp Vault Secrets Management¶

A YellowService for running a Hashicorp Vault service. Runs the official Vault docker image.

Note

Requires the vault extra. For more information, see our installation guide.

class extras.vault.VaultService(docker_client: DockerClient, image: str = 'redis:latest', root_token: str = 'guest', *, container_create_kwargs: dict[str, Any] | None = None, **kwargs)[source]¶

A service to run the redis database. Inherits from SingleContainerService. Usable with RunMixin and AsyncRunMixin.

Parameters:

docker_client – The docker client to used to pull and create the Vault container.
image – The image name to create a container of.
root_token – the root access token string for the new vault container.
container_create_kwargs – Additional keyword arguments passed to docker.models.containers.ContainerCollection.create().
**kwargs – Additional keyword arguments passed to SingleContainerService.

Has the following additional methods:

client_port() → int[source]¶: Returns the port to be used when connecting to the vault server from the docker host.

local_url() → str[source]¶: Returns the HTTP URL to be used when connecting to the vault server from the local host.

container_url() → str[source]¶: Returns the HTTP URL to be used when connecting to the vault server from a container through the docker host.

sibling_container_url(container_alias: str) → str[source]¶

Returns the HTTP URL to be used when connecting to the vault server from a container through a shared network.

Parameters:: container_alias – The alias of the vault container within the network.

client(**kwargs) → ContextManager[Client][source]¶

Returns a context manager that creates a hvac.v1.Client with root privilege, and closes the client when exited.

Parameters:: **kwargs – Additional keyword arguments passed to Client.

set_users(userpass: Iterable[tuple[str, str]], policy_name: str = 'dev', policy: dict | None = ...)[source]¶

creates or updates a collection of users with a specific policy.

Parameters:

userpass – An iterable of username-password tuples.
policy_name – The name of the policy to be applied to the users.
policy – If not None, creates or updates a policy with the name policy_name and access in accordance with policy as a JSON style policy syntax object. Default is a policy with read-only access to all secrets.

set_secrets(secrets: Mapping[str, Mapping[str, ...]])[source]¶

creates or updates a secrets in the service.

Parameters:: secrets – A mapping of paths to secret value objects.

service: VaultService
service.set_secrets({
    'foo': {'smee': {'lee': 23}},
    'tlee/gmoo': {'hero': 'shmero'},
})
with service.client() as client:
    assert client.secrets.kv.read_secret('foo')['data']['data'] == {'smee': {'lee': 23}}
    assert client.secrets.kv.read_secret('tlee/gmoo')['data']['data'] == {'hero': 'shmero'}

clear_secrets(root_path:str='/'):

Recursively removes all secrets and subdirectories under the given root path.

Parameters:: root_path – The root path to delete all secrets under. Must end with a slash.

Note

This method will not delete the root path itself if a secret is assigned to it.

extras.vault — Hashicorp Vault Secrets Management¶

`extras.vault` — Hashicorp Vault Secrets Management¶