Skip to main content

Python client for the Conjur API

Project description

A Python client for the Conjur API.

Installation

Install from PyPI

pip install conjur

Basic Usage

import os
import conjur

api = conjur.new_from_key(login='danny', api_key=os.getenv('CONJUR_API_KEY'))
mongo_password = api.variable('service_a/mongodb_password').value()

new_from_key accepts a Conjur username and an api_key or password (see the Conjur developer documentation for details about the distinction). This is useful if your script is authenticating as an particular Conjur identity rather than acting on behalf of a user who has provided their token.

When created using this method, the API will attempt to authenticate the first time a method requiring authorization is called. To force it to authenticate immediately, you can use the authenticate() method. An instance created with new_from_key will cache it’s auth token indefinitely. Since Conjur auth tokens expire after 8 minutes, you can force an api instance to update its token by calling api.authenticate(cached=False) or by setting api.token = None.

Advanced Usage

If the host running your application has been assigned a Conjur identity new_from_netrc is the easiest way to create an API instance.

import conjur
from conjur.config import config

config.load('/etc/conjur.conf')
api = conjur.new_from_netrc('/etc/conjur.identity', config=config)

If you have an existing authentication token, for example when handling an HTTP request that contains an end user’s token, use new_from_token to create your API instance.

import conjur
# ... some web magic

api = conjur.new_from_token(request.get_json()['user_token'])
salesforce_apikey = api.variable('sales/salesforce/api_key')

Configuration

Conjur requires endpoint configuration, which can be provided via environment variables or a YAML configuration file.

Environment variables

Setting CONJURRC and CONJUR_APPLIANCE_URL variables will allow you to to connect.

Other available variables are named by capitalizing the corresponding config variable and prefixing it with 'CONJUR_'. For example, the appliance_url variable can be configured with CONJUR_APPLIANCE_URL. See all variables at the bottom here

For development purposes you can provide service specific urls, for example, CONJUR_AUTHN_URL.

YAML file

Conjurized hosts will have this file placed at /etc/conjur.conf.

Running locally this will be your ~/.conjurrc file.

from conjur.config import config

config.load('/etc/conjur.conf')

Variables

You can create, fetch and update variables like so:

import os
import conjur

api = conjur.new_from_key(login='danny', api_key=os.getenv('CONJUR_API_KEY'))

loggly_token = api.create_variable(
    id='monitoring/loggly.com/api-token',
    value='dEet7Hib1oSh9g'
)

gis_database_password = api.variable('gis/postgres/password')
print(gis_database_password.value())

gis_database_password.add_value('lij6det8eJ7pIx')

If no id is given, a unique id will be generated. If a value is provided, it will be used to set the variable’s initial value. When fetching a variable, you can pass version to value() to retrieve a specific version.

Other Conjur resources

Layers, hosts, groups, users and pubkeys can be created/fetched/updated by other methods on the API class.


Development

Clone this project and run:

pip install -r requirements.txt -r requirements_dev.txt

Run tests and linting with:

./jenkins.sh

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

Conjur-0.3.2.tar.gz (13.2 kB view hashes)

Uploaded Source

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page