Skip to main content

Helper functionality for obtaining secrets and credentials from Hashicorp Vault in a Django project

Project description

build license kit format

This is a helper library with the goal of making it easier to retrieve secrets from Hasicorp Vault from a Django project.

Installation

Install django-vault-helpers from pip.

$ pip install django-vault-helpers

Add the new packages to your installed apps.

INSTALLED_APPS = [
    ...
    'postgresql_setrole',
    'vault12factor',
    'vaulthelpers',
    ...
]

Authenticating to Vault

Configure connection settings using environment variables to authenticate to Vault.

Environment Variable

Description

VAULT_URL

Required. The URL of the Vault API. For example, https://vault:8200/.

VAULT_CACERT

Optional. File path to the Vault CA certificate.

VAULT_SKIP_VERIFY

Optional. Set to disable validation of Vault’s SSL cert.

VAULT_DEBUG

Optional. Enable Vault debug logging.

In addition to the settings above, you must provide environment variables for one of the authentication methods below.

Environment Variable

Description

VAULT_TOKEN

Token for Vault Token authentication

VAULT_APPID, VAULT_USERID

App-ID authentication

VAULT_SSLCERT, VAULT_SSLKEY

SSL Client Cert authentication

Database Connection Secrets

To use Vault to load database connection configuration and credentials, configure the Vault database secret backend as described in the Database secret backend documentation. For example:

$ vault mount database
Successfully mounted 'database' at 'database'!
$ CONNECTION_NAME='myapplication'
$ CONNECTION_URL='postgresql://vaultuser:FOO@mydb:5432/myapplication'
$ PARENT_ROLE_NAME='myapplication'
$ vault write "database/config/$CONNECTION_NAME" \
        plugin_name="postgresql-database-plugin" \
        allowed_roles="$CONNECTION_NAME" \
        connection_url="$CONNECTION_URL"
$ vault write "database/roles/$CONNECTION_NAME" \
        db_name="$CONNECTION_NAME" \
        creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN ENCRYPTED PASSWORD '{{password}}' VALID UNTIL '{{expiration}}' IN ROLE \"${PARENT_ROLE_NAME}\" INHERIT NOCREATEROLE NOCREATEDB NOSUPERUSER NOREPLICATION;" \
        default_ttl="1h" \
        max_ttl="24h"

Next, add settings via the following environment variables.

Environment Variable

Description

VAULT_DATABASE_PATH

Vault path to read from when fetching database credentials. For example, database/creds/myapplication.

DATABASE_URL

Database connection string, sans the username and password. For example, postgres://mydb:5432/myapplication.

DATABASE_OWNERROLE

For PostgreSQL, the name of the role to assume after connecting using SET ROLE

Finally, edit your projects settings.py file to load database configuration using Vault.

import vaulthelpers

# Load database credentials from Vault
DATABASES = {
    'default': vaulthelpers.database.get_config(),
}

To add additional keys to the database configuration, pass in a dictionary to the get_config call. For example:

import vaulthelpers

# Load database credentials from Vault
DATABASES = {
    'default': vaulthelpers.database.get_config({
        'ATOMIC_REQUESTS': True,
        'CONN_MAX_AGE': 3600,
    }),
}

AWS Credentials

To use Vault to load IAM or STS credentials for AWS, configure the Vault AWS secret backend as described in the AWS secret backend documentation.

$ vault mount aws
Successfully mounted 'aws' at 'aws'!
$ vault write aws/config/root \
        access_key=AKIAJWVN5Z4FOFT7NLNA \
        secret_key=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 \
        region=us-east-1
$ vault write aws/roles/myapplication \
        arn=arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/MyApplicationRoleName

Next, add settings via the following environment variables.

Environment Variable

Description

VAULT_AWS_PATH

Vault path to read from when fetching AWS credentials. For example, aws/sts/myapplication.

Finally, configure you Django project to load AWS credentials using Vault. To do this, edit the settings.py file to include the following line.

import vaulthelpers

# Load AWS credentials from Vault
vaulthelpers.aws.init_boto3_credentials()

This will override the credential resolve code in boto3 and botocore so that it will fetch credentials from Vault instead of the usual means, like environment variables or the EC2 metadata service.

Direct HVAC Client Access

To directly access the authentication hvac client connector, fetch it from the vaulthelpers.common module.

import vaulthelpers

vault_auth = vaulthelpers.common.get_vault_auth()
verify = vaulthelpers.common.VAULT_CACERT or vaulthelpers.common.VAULT_SSL_VERIFY
vcl = vault_auth.authenticated_client(vaulthelpers.common.VAULT_URL, verify=verify)
result = vcl.read('secret/apps/myaplication')
print(result)

Changelog

0.3.2

  • Prevent recycling TCP connections after forking a process.

0.3.1

  • Fixed TCP connection issue by caching VaultAuthenticator instance in thread local storage.

0.3.0

  • Add file system caching of vault tokens.

0.2.0

  • Add S3 storage backend based on storages.backends.s3boto3.S3Boto3Storage.

0.1.0

  • Initial release.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django-vault-helpers-0.3.2.tar.gz (11.3 kB view details)

Uploaded Source

Built Distribution

django_vault_helpers-0.3.2-py3-none-any.whl (14.1 kB view details)

Uploaded Python 3

File details

Details for the file django-vault-helpers-0.3.2.tar.gz.

File metadata

File hashes

Hashes for django-vault-helpers-0.3.2.tar.gz
Algorithm Hash digest
SHA256 fedc8558fbd68f28c262a0a7b9eb47c14123e471b88eeb453b349fac474638cb
MD5 b4e4c1e1ae035fc0dc1f57883f0e37f9
BLAKE2b-256 6c463ddf871d0e28e6ce6e5ff8965f883be60a34b93fdc1409ac60ecd782d981

See more details on using hashes here.

File details

Details for the file django_vault_helpers-0.3.2-py3-none-any.whl.

File metadata

File hashes

Hashes for django_vault_helpers-0.3.2-py3-none-any.whl
Algorithm Hash digest
SHA256 cbd61e01f92ca60eb47dbfdd8a93a649e3a40d72a2bf0fe4368cdaa0e8a9ecaf
MD5 3ae118ad1ad076d0755fea9627aa3338
BLAKE2b-256 91a0ab7a99d3962cbe7ea321f8a38a36acf204d460ed96d6165b12231e060b86

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page