def main(): logger.info("Trying to login with Token") logger.debug("Debug enabled") try: client = Client(url=os.environ['VAULT_ADDR'], token=os.environ['VAULT_TOKEN']) client.is_authenticated() except Exception as err: logger.exception("Token Login failed: %s", err) exit(2) transit = Transit(client=client, encryption_key='backup', mount='transit') kv = KVstore(client, 'secrets', transit=transit) data = kv.get_base_folder() try: data = json.dumps(data[0], indent=4) except Exception as err: logger.exception(f'Error converting to JSON: {err}') exit(1) write_to_disk(cfg['out_file'], data) exported_key = transit.backup_key() logger.debug(f"Finished getting data:\n{data}") logger.info(f"Finished encrypting and writting data to {cfg['out_file']}") logger.info(f'Encryption used key:\n{exported_key}')
def login(self) -> Client: """ create a client and log it in with the correct method :return: a logged in client """ client = Client(self.url) log.info("client created with url %s", client.url) if not client.is_authenticated(): log.info("client is not authenticated") if self.method == Method.LDAP: log.info("trying to login with LDAP") try: client.auth.ldap.login(self.username, self.password) except (InvalidPath, ValueError) as err: log.error("LDAP Login failed: %s", err) exit(2) if self.method == Method.Token: log.info("trying to login with Token") try: client.token = self.token client.login(self.url, True) except (InvalidPath, ValueError) as err: log.error("Token Login failed: %s", err) exit(2) if not client.is_authenticated(): log.error("login failed.") log.error("Aborting...") exit(2) return client
def get_client(obj): client = Client( **{k: v for k, v in obj.VAULT_FOR_DYNACONF.items() if v is not None}) assert (client.is_authenticated( )), "Vault authentication error is VAULT_TOKEN_FOR_DYNACONF defined?" return client
def get_client(obj): client = Client( **{k: v for k, v in obj.VAULT_FOR_DYNACONF.items() if v is not None}) if obj.VAULT_ROLE_ID_FOR_DYNACONF is not None: client.auth_approle( role_id=obj.VAULT_ROLE_ID_FOR_DYNACONF, secret_id=obj.get("VAULT_SECRET_ID_FOR_DYNACONF"), ) elif obj.VAULT_ROOT_TOKEN_FOR_DYNACONF is not None: client.token = obj.VAULT_ROOT_TOKEN_FOR_DYNACONF elif obj.VAULT_AUTH_WITH_IAM_FOR_DYNACONF: if boto3 is None: raise ImportError( "boto3 package is not installed in your environment. " "`pip install boto3` or disable the VAULT_AUTH_WITH_IAM") session = boto3.Session() credentials = session.get_credentials() client.auth.aws.iam_login( credentials.access_key, credentials.secret_key, credentials.token, role=obj.VAULT_AUTH_ROLE_FOR_DYNACONF, ) assert client.is_authenticated(), ( "Vault authentication error: is VAULT_TOKEN_FOR_DYNACONF or " "VAULT_ROLE_ID_FOR_DYNACONF defined?") client.kv.default_kv_version = obj.VAULT_KV_VERSION_FOR_DYNACONF return client
def provide_authed_hvac_client(self, config: VaultConfiguration) -> Client: client = Client( url=config.url, token=config.token, ) client.kv.default_kv_version = 2 assert client.is_authenticated() return client
def run(self, terms, variables, **kwargs): key, field, path = terms vault = LookupModule.get_vault_from_path('../{}'.format(path)) client = Client(**vault) if client.is_authenticated() and not client.is_sealed(): result = [client.read(key)['data'][field]] return result else: raise AnsibleError('Unable to authenticate with Vault!')
def pre_flight_check(client: hvac.Client) -> bool: if not client.is_initialized() or client.is_sealed(): logging.error("The vault is either not initialized or sealed. That's odd.") elif not client.is_authenticated(): logging.error("It seems the authentication token is invalid. Vault does" " not like it. Clean everything up and come back.") else: logging.info("Everything looks good so far, pre-flight check ok") return True return False
def __authenticate_vault_client(client: hvac.Client, tenant: str, priv_jwt_token: str) -> hvac.Client: trace_enter(inspect.currentframe()) vault_auth_jwt_path = config.get_vault_auth_jwt_path(tenant) if not vault_auth_jwt_path: logger.error('Failed to load auth jwt path for tenant "%s"', tenant) return None if config.get_config_by_keypath('DEV_MODE'): logger.debug('Attempting to authenticate against Vault using JWT: %s', priv_jwt_token) cache_id = utils.get_vault_token_cache_id(tenant, priv_jwt_token) if cache_id in __VAULT_TOKEN_CACHE: logger.debug('Cache hit: Found token for "%s".', cache_id) client.token = __VAULT_TOKEN_CACHE[cache_id] else: logger.debug('Cache miss: Token for "%s" not found.', cache_id) token = __get_vault_token(client, tenant, priv_jwt_token, vault_auth_jwt_path) if not token: ret = None logger.error('Failed to get Vault token.') trace_exit(inspect.currentframe(), ret) return ret client.token = token __VAULT_TOKEN_CACHE[cache_id] = token if not client.is_authenticated(): # token might be invalid/has expired del __VAULT_TOKEN_CACHE[cache_id] ret = None logger.error('Failed to validate Vault client. ' 'Review configuration (config/config.json). ' 'Retry as token might have expired.') trace_exit(inspect.currentframe(), ret) return ret logger.debug('Successfully authenticated Vault client ' 'for tenant "%s"', tenant) trace_exit(inspect.currentframe(), client) return client
def get_client(obj): client = Client( **{k: v for k, v in obj.VAULT_FOR_DYNACONF.items() if v is not None}) if obj.VAULT_ROLE_ID_FOR_DYNACONF is not None: client.auth_approle( role_id=obj.VAULT_ROLE_ID_FOR_DYNACONF, secret_id=obj.get("VAULT_SECRET_ID_FOR_DYNACONF"), ) assert client.is_authenticated(), ( "Vault authentication error: is VAULT_TOKEN_FOR_DYNACONF or " "VAULT_ROLE_ID_FOR_DYNACONF defined?") return client
def main(): logger.info("Trying to login with Token") logger.debug("Debug enabled") try: client = Client( url=os.environ['VAULT_ADDR'], token=os.environ['VAULT_TOKEN'] ) client.is_authenticated() except Exception as err: logger.exception("Token Login failed: %s", err) exit(2) transit = Transit(client=client, encryption_key='backup', mount='transit') kv = KVstore(client, cfg['kv_path'], transit=transit) data = kv.get_base_folder() write_to_disk(cfg['out_file'], data) logger.info(f"Finished encrypting and writting data to {cfg['out_file']}") exported_key = transit.backup_key() write_to_disk(cfg['backup_key'], exported_key) logger.info(f"Finished encrypting and writting data to {cfg['backup_key']}")
def _auth(self): client = VaultClient(url=self._config['addr']) auth = self._config['auth_type'] token = self._config['token'] if token and auth == 'token': client.token = token elif auth == 'aws_iam': session = boto3.Session() creds = session.get_credentials() kwargs = [self._config['header_value'], self._config['role']] client.auth_aws_iam( creds.access_key, creds.secret_key, creds.token, **{k: v for k, v in self._config.items() if v and k in kwargs}) if client.is_authenticated() is False: raise VaultUnauthorized(f'auth_type: {auth}') return client.secrets.kv
class SecretsClient(BaseSecretsClient): def __init__(self, connection_config) -> None: ''' Args: connection_config (Dict): Parameters required to connect to the Vault ''' try: token = os.environ[connection_config['token_env']] except KeyError as error: raise SecretsException( 'Token environment variable missing: {}'.format(error) ) self._client = Client( url=connection_config['url'], token=token ) if not self._client.is_authenticated(): raise SecretsException('Vault client authentication failed!') else: logging.debug('Sucessfully connected to Vault.') def get_secret(self, secret): read_response = self._client.secrets.kv.read_secret_version( path=secret ) return read_response['data']['data'] def create_secret(self, name, value, description=None): create_response = self._client.secrets.kv.v2.create_or_update_secret( path=name, secret=value ) logging.debug("Wrote secret to path {}".format(name)) if create_response['warnings'] is not None: logging.debug( 'with warnings {}'.format(create_response['warnings']) )
class Vaulter: def __init__(self, url, git_token, mount_point, vault_path_prefix=""): self.LOGGER = sesam_logger('KeyVault') self.client = Client(url=url) self.mount_point = mount_point self.client.auth.github.login(git_token) self.missing_secrets = [] self.vault_path_prefix = vault_path_prefix if not self.client.is_authenticated(): self.LOGGER.critical(f'Cannot authenticate vault {url}. Exiting.') exit(-1) def get_secret(self, secret): return_value = None try: response = self.client.secrets.kv.v2.read_secret_version( mount_point=self.mount_point, path=f'{self.vault_path_prefix}{secret}') key_value = response['data']['data'] for k in key_value: return_value = key_value[k] break except InvalidPath as e: self.missing_secrets.append(secret) return return_value def get_secrets(self, secrets): output = {} for s in secrets: output[s] = self.get_secret(s) return output def verify(self): if len(self.missing_secrets) != 0: return False return True def get_missing_secrets(self): return self.missing_secrets
class Vaulter: def __init__(self, url, git_token, mount_point): self.client = Client(url=url) self.mount_point = mount_point self.client.auth.github.login(git_token) self.missing_secrets = [] if not self.client.is_authenticated(): print(f'Cannot authenticate vault {url}. Exiting.') exit(-1) def get_secret(self, secret): return_value = None try: response = self.client.secrets.kv.v2.read_secret_version(mount_point=self.mount_point, path=secret) key_value = response['data']['data'] for k in key_value: return_value = key_value[k] break except InvalidPath as e: print(f'Could not find {secret} in vault. Invalid path: "{e}"') self.missing_secrets.append(secret) return return_value def get_secrets(self, secrets): output = {} for s in secrets: output[s] = self.get_secret(s) return output def verify(self): if len(self.missing_secrets) != 0: return False return True def get_missing_secrets(self): return self.missing_secrets