def create_custom_secret_id(self,
role_name,
secret_id,
metadata=None,
cidr_list=None,
token_bound_cidrs=None,
mount_point=DEFAULT_MOUNT_POINT):
"""
Generates and issues a new Secret ID on a role in the auth method.
Supported methods:
POST: /auth/{mount_point}/role/{role_name}/custom-secret-id. Produces: 200 application/json
:param role_name: The name for the role.
:type role_name: str | unicode
:param secret_id: The Secret ID to read.
:type secret_id: str | unicode
:param metadata: Metadata to be tied to the Secret ID.
:type metadata: dict
:param cidr_list: Blocks of IP addresses which can perform login operations.
:type cidr_list: list
:param token_bound_cidrs: Blocks of IP addresses which can authenticate successfully.
:type token_bound_cidrs: list
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The JSON response of the read_role_id request.
:rtype: dict
"""
if metadata is not None and not isinstance(metadata, dict):
error_msg = 'unsupported metadata argument provided "{arg}" ({arg_type}), required type: dict"'
raise exceptions.ParamValidationError(
error_msg.format(
arg=metadata,
arg_type=type(metadata),
))
params = {'secret_id': secret_id, 'metadata': metadata}
list_of_strings_params = {
'cidr_list': cidr_list,
'token_bound_cidrs': token_bound_cidrs
}
for param_name, param_argument in list_of_strings_params.items():
validate_list_of_strings_param(
param_name=param_name,
param_argument=param_argument,
)
if param_argument is not None:
params[param_name] = list_to_comma_delimited(param_argument)
api_path = utils.format_url(
'/v1/auth/{mount_point}/role/{role_name}/custom-secret-id',
mount_point=mount_point,
role_name=role_name)
return self._adapter.post(url=api_path, json=params)
def create_role(self,
name,
role_type,
project_id,
ttl=None,
max_ttl=None,
period=None,
policies=None,
bound_service_accounts=None,
max_jwt_exp=None,
allow_gce_inference=None,
bound_zones=None,
bound_regions=None,
bound_instance_groups=None,
bound_labels=None,
mount_point=DEFAULT_MOUNT_POINT):
"""Register a role in the GCP auth method.
Role types have specific entities that can perform login operations against this endpoint. Constraints specific
to the role type must be set on the role. These are applied to the authenticated entities attempting to
login.
Supported methods:
POST: /auth/{mount_point}/role/{name}. Produces: 204 (empty body)
:param name: The name of the role.
:type name: str | unicode
:param role_type: The type of this role. Certain fields correspond to specific roles and will be rejected
otherwise.
:type role_type: str | unicode
:param project_id: The GCP project ID. Only entities belonging to this project can authenticate with this role.
:type project_id: str | unicode
:param ttl: The TTL period of tokens issued using this role. This can be specified as an integer number of
seconds or as a duration value like "5m".
:type ttl: str | unicode
:param max_ttl: The maximum allowed lifetime of tokens issued in seconds using this role. This can be specified
as an integer number of seconds or as a duration value like "5m".
:type max_ttl: str | unicode
:param period: If set, indicates that the token generated using this role should never expire. The token should
be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the
value of this parameter. This can be specified as an integer number of seconds or as a duration value like
"5m".
:type period: str | unicode
:param policies: The list of policies to be set on tokens issued using this role.
:type policies: list
:param bound_service_accounts: <required for iam> A list of service account emails or IDs that login is
restricted to. If set to `*`, all service accounts are allowed (role will still be bound by project). Will be
inferred from service account used to issue metadata token for GCE instances.
:type bound_service_accounts: list
:param max_jwt_exp: <iam only> The number of seconds past the time of authentication that the login param JWT
must expire within. For example, if a user attempts to login with a token that expires within an hour and
this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a
shorter exp. The GCE metadata tokens currently do not allow the exp claim to be customized.
:type max_jwt_exp: str | unicode
:param allow_gce_inference: <iam only> A flag to determine if this role should allow GCE instances to
authenticate by inferring service accounts from the GCE identity metadata token.
:type allow_gce_inference: bool
:param bound_zones: <gce only> The list of zones that a GCE instance must belong to in order to be
authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must
belong to this zone.
:type bound_zones: list
:param bound_regions: <gce only> The list of regions that a GCE instance must belong to in order to be
authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group
must belong to this region. If bound_zones are provided, this attribute is ignored.
:type bound_regions: list
:param bound_instance_groups: <gce only> The instance groups that an authorized instance must belong to in
order to be authenticated. If specified, either bound_zones or bound_regions must be set too.
:type bound_instance_groups: list
:param bound_labels: <gce only> A list of GCP labels formatted as "key:value" strings that must be set on
authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in
conjunction with other restrictions.
:type bound_labels: list
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The data key from the JSON response of the request.
:rtype: requests.Response
"""
type_specific_params = {
'iam': {
'max_jwt_exp': None,
'allow_gce_inference': None,
},
'gce': {
'bound_zones': None,
'bound_regions': None,
'bound_instance_groups': None,
'bound_labels': None,
},
}
list_of_strings_params = {
'policies': policies,
'bound_service_accounts': bound_service_accounts,
'bound_zones': bound_zones,
'bound_regions': bound_regions,
'bound_instance_groups': bound_instance_groups,
'bound_labels': bound_labels,
}
for param_name, param_argument in list_of_strings_params.items():
validate_list_of_strings_param(
param_name=param_name,
param_argument=param_argument,
)
if role_type not in ALLOWED_ROLE_TYPES:
error_msg = 'unsupported role_type argument provided "{arg}", supported types: "{role_types}"'
raise exceptions.ParamValidationError(
error_msg.format(
arg=type,
role_types=','.join(ALLOWED_ROLE_TYPES),
))
params = {
'type': role_type,
'project_id': project_id,
'policies': list_to_comma_delimited(policies),
}
params.update(
utils.remove_nones({
'ttl': ttl,
'max_ttl': max_ttl,
'period': period,
}))
if bound_service_accounts is not None:
params['bound_service_accounts'] = list_to_comma_delimited(
bound_service_accounts)
if role_type == 'iam':
params.update(
utils.remove_nones({
'max_jwt_exp': max_jwt_exp,
'allow_gce_inference': allow_gce_inference,
}))
for param, default_arg in type_specific_params['gce'].items():
if locals().get(param) != default_arg:
warning_msg = 'Argument for parameter "{param}" ignored for role type iam'.format(
param=param)
logger.warning(warning_msg)
elif role_type == 'gce':
if bound_zones is not None:
params['bound_zones'] = list_to_comma_delimited(bound_zones)
if bound_regions is not None:
params['bound_regions'] = list_to_comma_delimited(
bound_regions)
if bound_instance_groups is not None:
params['bound_instance_groups'] = list_to_comma_delimited(
bound_instance_groups)
if bound_labels is not None:
params['bound_labels'] = list_to_comma_delimited(bound_labels)
for param, default_arg in type_specific_params['iam'].items():
if locals().get(param) != default_arg:
warning_msg = 'Argument for parameter "{param}" ignored for role type gce'.format(
param=param)
logger.warning(warning_msg)
api_path = utils.format_url(
'/v1/auth/{mount_point}/role/{name}',
mount_point=mount_point,
name=name,
)
return self._adapter.post(
url=api_path,
json=params,
)
def tune_auth_method(self,
path,
default_lease_ttl=None,
max_lease_ttl=None,
description=None,
audit_non_hmac_request_keys=None,
audit_non_hmac_response_keys=None,
listing_visibility=None,
passthrough_request_headers=None,
**kwargs):
"""Tune configuration parameters for a given auth path.
This endpoint requires sudo capability on the final path, but the same functionality can be achieved without
sudo via sys/mounts/auth/[auth-path]/tune.
Supported methods:
POST: /sys/auth/{path}/tune. Produces: 204 (empty body)
:param path: The path the method was mounted on. If not provided, defaults to the value of the "method_type"
argument.
:type path: str | unicode
:param default_lease_ttl: Specifies the default time-to-live. If set on a specific auth path, this overrides the
global default.
:type default_lease_ttl: int
:param max_lease_ttl: The maximum time-to-live. If set on a specific auth path, this overrides the global
default.
:type max_lease_ttl: int
:param description: Specifies the description of the mount. This overrides the current stored value, if any.
:type description: str | unicode
:param audit_non_hmac_request_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the
request data object.
:type audit_non_hmac_request_keys: array
:param audit_non_hmac_response_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the
response data object.
:type audit_non_hmac_response_keys: list
:param listing_visibility: Specifies whether to show this mount in the UI-specific listing endpoint. Valid
values are "unauth" or "".
:type listing_visibility: list
:param passthrough_request_headers: List of headers to whitelist and pass from the request to the backend.
:type passthrough_request_headers: list
:param kwargs: All dicts are accepted and passed to vault. See your specific secret engine for details on which
extra key-word arguments you might want to pass.
:type kwargs: dict
:return: The response of the request.
:rtype: requests.Response
"""
if listing_visibility is not None and listing_visibility not in [
'unauth', ''
]:
error_msg = 'invalid listing_visibility argument provided: "{arg}"; valid values: "unauth" or ""'.format(
arg=listing_visibility, )
raise exceptions.ParamValidationError(error_msg)
# All parameters are optional for this method. Until/unless we include input validation, we simply loop over the
# parameters and add which parameters are set.
optional_parameters = {
'default_lease_ttl': dict(),
'max_lease_ttl': dict(),
'description': dict(),
'audit_non_hmac_request_keys': dict(comma_delimited_list=True),
'audit_non_hmac_response_keys': dict(comma_delimited_list=True),
'listing_visibility': dict(),
'passthrough_request_headers': dict(comma_delimited_list=True),
}
params = {}
for optional_parameter, parameter_specification in optional_parameters.items(
):
if locals().get(optional_parameter) is not None:
if parameter_specification.get('comma_delimited_list'):
argument = locals().get(optional_parameter)
validate_list_of_strings_param(optional_parameter,
argument)
params[optional_parameter] = list_to_comma_delimited(
argument)
else:
params[optional_parameter] = locals().get(
optional_parameter)
params.update(kwargs)
api_path = utils.format_url('/v1/sys/auth/{path}/tune', path=path)
return self._adapter.post(
url=api_path,
json=params,
)
def create_or_update_approle(self,
role_name,
bind_secret_id=None,
secret_id_bound_cidrs=None,
secret_id_num_uses=None,
secret_id_ttl=None,
enable_local_secret_ids=None,
token_ttl=None,
token_max_ttl=None,
token_policies=None,
token_bound_cidrs=None,
token_explicit_max_ttl=None,
token_no_default_policy=None,
token_num_uses=None,
token_period=None,
token_type=None,
mount_point=DEFAULT_MOUNT_POINT):
"""
Create/update approle.
Supported methods:
POST: /auth/{mount_point}/role/{role_name}. Produces: 204 (empty body)
:param role_name: The name for the approle.
:type role_name: str | unicode
:param bind_secret_id: Require secret_id to be presented when logging in using this approle.
:type bind_secret_id: bool
:param secret_id_bound_cidrs: Blocks of IP addresses which can perform login operations.
:type secret_id_bound_cidrs: list
:param secret_id_num_uses: Number of times any secret_id can be used to fetch a token.
A value of zero allows unlimited uses.
:type secret_id_num_uses: int
:param secret_id_ttl: Duration after which a secret_id expires. This can be specified
as an integer number of seconds or as a duration value like "5m".
:type secret_id_ttl: str | unicode
:param enable_local_secret_ids: Secret IDs generated using role will be cluster local.
:type enable_local_secret_ids: bool
:param token_ttl: Incremental lifetime for generated tokens. This can be specified
as an integer number of seconds or as a duration value like "5m".
:type token_ttl: str | unicode
:param token_max_ttl: Maximum lifetime for generated tokens: This can be specified
as an integer number of seconds or as a duration value like "5m".
:type token_max_ttl: str | unicode
:param token_policies: List of policies to encode onto generated tokens.
:type token_policies: list
:param token_bound_cidrs: Blocks of IP addresses which can authenticate successfully.
:type token_bound_cidrs: list
:param token_explicit_max_ttl: If set, will encode an explicit max TTL onto the token. This can be specified
as an integer number of seconds or as a duration value like "5m".
:type token_explicit_max_ttl: str | unicode
:param token_no_default_policy: Do not add the default policy to generated tokens, use only tokens
specified in token_policies.
:type token_no_default_policy: bool
:param token_num_uses: Maximum number of times a generated token may be used. A value of zero
allows unlimited uses.
:type token_num_uses: int
:param token_period: The period, if any, to set on the token. This can be specified
as an integer number of seconds or as a duration value like "5m".
:type token_period: str | unicode
:param token_type: The type of token that should be generated, can be "service", "batch", or "default".
:type token_type: str | unicode
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
"""
list_of_strings_params = {
'secret_id_bound_cidrs': secret_id_bound_cidrs,
'token_policies': token_policies,
'token_bound_cidrs': token_bound_cidrs
}
if token_type is not None and token_type not in ALLOWED_TOKEN_TYPES:
error_msg = 'unsupported token_type argument provided "{arg}", supported types: "{token_types}"'
raise exceptions.ParamValidationError(
error_msg.format(
arg=token_type,
token_types=','.join(ALLOWED_TOKEN_TYPES),
))
params = dict()
for param_name, param_argument in list_of_strings_params.items():
validate_list_of_strings_param(
param_name=param_name,
param_argument=param_argument,
)
if param_argument is not None:
params[param_name] = list_to_comma_delimited(param_argument)
params.update(
utils.remove_nones({
'bind_secret_id': bind_secret_id,
'secret_id_num_uses': secret_id_num_uses,
'secret_id_ttl': secret_id_ttl,
'enable_local_secret_ids': enable_local_secret_ids,
'token_ttl': token_ttl,
'token_max_ttl': token_max_ttl,
'token_explicit_max_ttl': token_explicit_max_ttl,
'token_no_default_policy': token_no_default_policy,
'token_num_uses': token_num_uses,
'token_period': token_period,
'token_type': token_type
}))
api_path = utils.format_url('/v1/auth/{mount_point}/role/{name}',
mount_point=mount_point,
name=role_name)
return self._adapter.post(url=api_path, json=params)
def tune_auth_method(self, path, default_lease_ttl=None, max_lease_ttl=None, description=None,
audit_non_hmac_request_keys=None, audit_non_hmac_response_keys=None, listing_visibility='',
passthrough_request_headers=None):
"""Tune configuration parameters for a given auth path.
This endpoint requires sudo capability on the final path, but the same functionality can be achieved without
sudo via sys/mounts/auth/[auth-path]/tune.
Supported methods:
POST: /sys/auth/{path}/tune. Produces: 204 (empty body)
:param path: The path the method was mounted on. If not provided, defaults to the value of the "method_type"
argument.
:type path: str | unicode
:param default_lease_ttl: Specifies the default time-to-live. If set on a specific auth path, this overrides the
global default.
:type default_lease_ttl: int
:param max_lease_ttl: The maximum time-to-live. If set on a specific auth path, this overrides the global
default.
:type max_lease_ttl: int
:param description: Specifies the description of the mount. This overrides the current stored value, if any.
:type description: str | unicode
:param audit_non_hmac_request_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the
request data object.
:type audit_non_hmac_request_keys: array
:param audit_non_hmac_response_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the
response data object.
:type audit_non_hmac_response_keys: list
:param listing_visibility: Specifies whether to show this mount in the UI-specific listing endpoint. Valid
values are "unauth" or "".
:type listing_visibility: list
:param passthrough_request_headers: List of headers to whitelist and pass from the request to the backend.
:type passthrough_request_headers: list
:return: The response of the request.
:rtype: requests.Response
"""
if listing_visibility not in ['unauth', '']:
error_msg = 'invalid listing_visibility argument provided: "{arg}"; valid values: "unauth" or ""'.format(
arg=listing_visibility,
)
raise exceptions.ParamValidationError(error_msg)
# All parameters are optional for this method. Until/unless we include input validation, we simply loop over the
# parameters and add which parameters are set.
optional_parameters = {
'default_lease_ttl': dict(),
'max_lease_ttl': dict(),
'description': dict(),
'audit_non_hmac_request_keys': dict(comma_delimited_list=True),
'audit_non_hmac_response_keys': dict(comma_delimited_list=True),
'listing_visibility': dict(),
'passthrough_request_headers': dict(comma_delimited_list=True),
}
params = {}
for optional_parameter, parameter_specification in optional_parameters.items():
if locals().get(optional_parameter) is not None:
if parameter_specification.get('comma_delimited_list'):
argument = locals().get(optional_parameter)
validate_list_of_strings_param(optional_parameter, argument)
params[optional_parameter] = list_to_comma_delimited(argument)
else:
params[optional_parameter] = locals().get(optional_parameter)
api_path = '/v1/sys/auth/{path}/tune'.format(path=path)
return self._adapter.post(
url=api_path,
json=params,
)
