Vault implementation in python software (Hashicorp)
Project description
PySecVault
Hashicorp Vault implementation in python software
Pre-requisites
To use this software, you need to have a running instance of Hashicorp Vault. You can find the installation instructions here.
Alternatively, you can use the docker image provided by Hashicorp here.
docker run --cap-add=IPC_LOCK \
-e 'VAULT_LOCAL_CONFIG={"storage": {"file": {"path": "/vault/file"}}, "listener": [{"tcp": { "address": "0.0.0.0:8200", "tls_disable": true}}], "default_lease_ttl": "168h", "max_lease_ttl": "720h", "ui": true}' \
-p 8200:8200 vault server
After this command, you can access the vault UI at http://localhost:8200 and follow the instructions to initialize the vault.
Installation
pip install py-sec-vault
Usage
from vault import Vault
vault = Vault(
host="http://localhost:8200/",
auth_method="approle",
engine_name="my_engine_name",
path="my_vault_path",
token="my_vault_token",
)
# Prints the keys in the vault, validating if the vault is initialized;
print(vault.keys)
# Retrieving a secret from the vault, or None if not found
my_optional_secret = vault.get("MY_SECRET")
# Retrieving a secret from the vault (and raising an exception if not found)
my_secret = vault["MY_SECRET"]
Usage with environment variables
To make the vault work with environment variables, you can use the following code:
First, you need to set the environment variables for the vault:
export VAULT_HOST=http://localhost:8200/
export VAULT_AUTH_METHOD=approle|token
export VAULT_ENGINE_NAME=<my_engine_name>
export VAULT_ROLE_ID=<my_vault_id>
export VAULT_SECRET_ID=<my_vauld_secret>
export VAULT_PATH=<my_vault_path>
Second, you can use the following code to retrieve the secrets from the vault or environment variables:
from vault import from_env_or_vault, from_vault
# NB: These functions will instantiate a Vault object and retrieve the secret from the vault
# resulting in a performance penalty if used in a loop. Alternatively, you can instantiate a Vault object
# once and use the get method to retrieve the secrets (next example).
# Retrieving a secret from the vault or environment variable or using a default value
from_env_or_vault("DB_PASSWORD", default="admin")
# Retrieving a secret from the vault (and raising an exception if not found)
from_vault("API_TOKEN")
To retrieve all secrets from the vault, you can use the following code:
from vault import Vault
# This will connect to the vault based on the environment variables;
vault = Vault()
# Prints the keys in the vault, validating if the vault is initialized;
print(vault.keys)
# Retrieving a secret from the vault, or None if not found
my_optional_secret = vault.get("MY_SECRET")
Next steps
- Make sure the vault is not initialized every time, but only when needed
- On init load multiple paths/engines
- Add support for other auth methods
- Phase out the use of hvac and use requests instead
- Implementation of from_vault_or_env
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for py_sec_vault-0.1.3-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 571d5b316d664bbf976626dfce565b2abf535cf72bb601cac156ada38d6cd75e |
|
| MD5 | 93dc61df47c2db2d896be754567e813e |
|
| BLAKE2b-256 | 68d05ecd9219f95cb9e814c68424a1bef12aca2fde4a10aefbe70714f4c2f501 |
