def create_vault_client(app):
client = VaultClient(url=app.config['VAULT_ADDR'],
token=app.config['VAULT_TOKEN'])
if client.is_sealed() and app.config['UNSEAL_VAULT']:
keys = [app.config[f'UNSEAL_VAULT_KEY{i}'] for i in range(1, 6)]
client.unseal_multi(filter(None, keys))
return client
def run(self, terms, variables, **kwargs):
key, field, path = terms
vault = LookupModule.get_vault_from_path('../{}'.format(path))
client = Client(**vault)
if client.is_authenticated() and not client.is_sealed():
result = [client.read(key)['data'][field]]
return result
else:
raise AnsibleError('Unable to authenticate with Vault!')
def pre_flight_check(client: hvac.Client) -> bool:
if not client.is_initialized() or client.is_sealed():
logging.error("The vault is either not initialized or sealed. That's odd.")
elif not client.is_authenticated():
logging.error("It seems the authentication token is invalid. Vault does"
" not like it. Clean everything up and come back.")
else:
logging.info("Everything looks good so far, pre-flight check ok")
return True
return False
def reset_vault(client: hvac.Client) -> (str, List[str]):
assert not client.is_initialized()
logging.warning("The vault is not initialized yet, it will be initialized with {} keys and a threshold of {}. "
"Security is overrated anyway.".format(shares, threshold))
result = client.initialize(secret_shares=shares,
secret_threshold=threshold)
root_token, unseal_keys = result['root_token'], result['keys']
logging.warning("Okay, initialized. The root_token is {} and the unseal key(s) are {}. Keep that around, you'll"
" need it".format(root_token, unseal_keys))
assert client.is_sealed()
logging.info('The vault is sealed. Unsealing...')
client.unseal_multi(unseal_keys)
logging.info("Okay, you're good to go.")
return root_token, unseal_keys