def connect():
'''
Connect to the vault server and return the
connected vault client instance.
'''
url = os.environ.get('VAULT_ADDR')
token = os.environ.get('VAULT_TOKEN')
if not url or not token:
halt('Failed connecting to vault. ' +
'`VAULT_ADDR` and `VAULT_TOKEN` must be set in your environment.')
return Client(url=url, token=token)
def get_client(obj):
client = Client(
**{k: v for k, v in obj.VAULT_FOR_DYNACONF.items() if v is not None}
)
if obj.VAULT_ROLE_ID_FOR_DYNACONF is not None:
client.auth_approle(
role_id=obj.VAULT_ROLE_ID_FOR_DYNACONF,
secret_id=obj.get("VAULT_SECRET_ID_FOR_DYNACONF"),
)
assert client.is_authenticated(), (
"Vault authentication error: is VAULT_TOKEN_FOR_DYNACONF or "
"VAULT_ROLE_ID_FOR_DYNACONF defined?"
)
return client
def test_auth_approle(self, test_label, mount_point, role_id, secret_id, requests_mocker):
expected_status_code = 200
mock_response = {
"auth": {
"accessor": "f8b576f9-9146-4173-e174-40257d58015a",
"client_token": "3db3d089-7d3c-f531-cd3e-bfe44696a92c",
"lease_duration": 600,
"metadata": {
"role_name": "application1"
},
"policies": [
"default"
],
"renewable": True
},
"data": None,
"lease_duration": 0,
"lease_id": "",
"renewable": False,
"request_id": "2eb635ad-a763-926a-9815-4cb4d14a40f9",
"warnings": None,
"wrap_info": None
}
mock_url = 'http://localhost:8200/v1/auth/{0}/login'.format(
'approle' if mount_point is None else mount_point,
)
requests_mocker.register_uri(
method='POST',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
client = Client()
if mount_point is None:
actual_response = client.auth_approle(
role_id=role_id,
secret_id=secret_id,
)
else:
actual_response = client.auth_approle(
role_id=role_id,
secret_id=secret_id,
mount_point=mount_point,
)
self.assertEquals(
first=mock_response,
second=actual_response,
)
def test_get_role_secret_id_accessor(self, test_label, mount_point, role_name, secret_id_accessor, requests_mocker):
expected_status_code = 200
mock_response = {
"auth": None,
"data": {
"SecretIDNumUses": 0,
"cidr_list": [],
"creation_time": "2018-06-11T07:33:57.771908-05:00",
"expiration_time": "0001-01-01T00:00:00Z",
"last_updated_time": "2018-06-11T07:33:57.771908-05:00",
"metadata": {},
"secret_id_accessor": secret_id_accessor,
"secret_id_num_uses": 0,
"secret_id_ttl": 0
},
"lease_duration": 0,
"lease_id": "",
"renewable": False,
"request_id": "2c9fcba6-425d-e4c0-45fa-ee90450a3c00",
"wrap_info": None
}
mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}/secret-id-accessor/lookup'.format(
'approle' if mount_point is None else mount_point,
role_name,
)
requests_mocker.register_uri(
method='POST',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
client = Client()
if mount_point is None:
actual_response = client.get_role_secret_id_accessor(
role_name=role_name,
secret_id_accessor=secret_id_accessor,
)
else:
actual_response = client.get_role_secret_id_accessor(
role_name=role_name,
secret_id_accessor=secret_id_accessor,
mount_point=mount_point,
)
self.assertEquals(
first=mock_response,
second=actual_response,
)
def test_get_role_secret_id(self, test_label, mount_point, role_name, secret_id, requests_mocker):
expected_status_code = 200
mock_response = {
"auth": None,
"data": {
"SecretIDNumUses": 0,
"cidr_list": [],
"creation_time": "2018-06-11T07:33:57.771908-05:00",
"expiration_time": "0001-01-01T00:00:00Z",
"last_updated_time": "2018-06-11T07:33:57.771908-05:00",
"metadata": {},
"secret_id_accessor": "b58fd0ee-130c-33bb-5f69-6d4fd1731e5f",
"secret_id_num_uses": 0,
"secret_id_ttl": 0
},
"lease_duration": 0,
"lease_id": "",
"renewable": False,
"request_id": "718a00fa-e76f-f1fc-9b9e-f9c4baa766b3",
"wrap_info": None
}
mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}/secret-id/lookup'.format(
'approle' if mount_point is None else mount_point,
role_name,
)
requests_mocker.register_uri(
method='POST',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
client = Client()
if mount_point is None:
actual_response = client.get_role_secret_id(
role_name=role_name,
secret_id=secret_id,
)
else:
actual_response = client.get_role_secret_id(
role_name=role_name,
secret_id=secret_id,
mount_point=mount_point,
)
self.assertEquals(
first=mock_response,
second=actual_response,
)
def test_get_role(self, test_label, mount_point, role_name, requests_mocker):
expected_status_code = 200
mock_response = {
"auth": None,
"data": {
"bind_secret_id": True,
"bound_cidr_list": "",
"period": 0,
"policies": [
"default"
],
"secret_id_num_uses": 0,
"secret_id_ttl": 0,
"token_max_ttl": 900,
"token_num_uses": 0,
"token_ttl": 600
},
"lease_duration": 0,
"lease_id": "",
"renewable": False,
"request_id": "0aab655f-ecd2-b3d4-3817-35b5bdfd3f28",
"warnings": None,
"wrap_info": None
}
mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}'.format(
'approle' if mount_point is None else mount_point,
role_name,
)
requests_mocker.register_uri(
method='GET',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
client = Client()
if mount_point is None:
actual_response = client.get_role(
role_name=role_name,
)
else:
actual_response = client.get_role(
role_name=role_name,
mount_point=mount_point,
)
self.assertEquals(
first=mock_response,
second=actual_response,
)
def __init__(self):
if not os.getenv("SERVICE_ACCOUNT_TOEKN_PATH"):
self.k8s_service_account_token_path = "/var/run/secrets/kubernetes.io/serviceaccount/token"
else:
self.k8s_service_account_token_path = os.getenv("SERVICE_ACCOUNT_TOEKN_PATH")
if not os.getenv("VAULT_ROLE"):
raise Exception('VAULT_ROLE is a mandatory env variable')
else:
self.role = os.getenv("VAULT_ROLE")
if not os.getenv("VAULT_URL"):
raise Exception("VAULT_URL is a mandatory env variable")
else:
self.vault_url = os.getenv("VAULT_URL")
self.client = Client(url=self.vault_url)
def create_client(**kwargs):
"""Small helper to instantiate a :py:class:`hvac.v1.Client` class with the appropriate parameters for the test env.
:param kwargs: Dictionary of additional keyword arguments to pass through to the Client instance being created.
:type kwargs: dict
:return: Instantiated :py:class:`hvac.v1.Client` class.
:rtype: hvac.v1.Client
"""
client_cert_path = get_test_data_path('client-cert.pem')
client_key_path = get_test_data_path('client-key.pem')
server_cert_path = get_test_data_path('server-cert.pem')
return Client(url='https://localhost:8200',
cert=(client_cert_path, client_key_path),
verify=server_cert_path,
**kwargs)
def __init__(self, client_token):
if not os.getenv("VAULT_URL"):
raise Exception("VAULT_URL is a mandatory env variable")
else:
self.vault_url = os.getenv("VAULT_URL")
self.client = Client(url=self.vault_url, token=client_token)
if not os.getenv("VAULT_SECRET_PATH"):
raise Exception("VAULT_SECRET_PATH is a mandatory env variable")
else:
self.secret_path = os.getenv("VAULT_SECRET_PATH")
if not os.getenv("ENV_VARIABLES_PATH"):
raise Exception("ENV_VARIABLES_PATH is a mandatory env variable")
else:
self.ENV_VARIABLES_PATH = os.getenv("ENV_VARIABLES_PATH")
def test_auth_aws_iam(self, login_mock, datetime_mock):
datetime_mock.utcnow.return_value = datetime(2015, 8, 30, 12, 36, 0)
client = Client()
client.auth_aws_iam('AKIDEXAMPLE',
'wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY')
login_mock.assert_called()
args, kwargs = login_mock.call_args
actual_params = kwargs['json']
actual_iam_http_request_method = actual_params[
'iam_http_request_method']
self.assertEqual('POST', actual_iam_http_request_method)
actual_iam_request_url = b64decode(
actual_params['iam_request_url']).decode('utf-8')
self.assertEqual('https://sts.amazonaws.com/', actual_iam_request_url)
expected_auth_header_parts = [
'Credential=AKIDEXAMPLE/20150830/us-east-1/sts/aws4_request',
'SignedHeaders=content-length;content-type;host;x-amz-date',
'Signature=0268ea4a725deae1116f5228d6b177fb047f9f3a9e1c5fd4baa0dc1fbb0d1a99',
]
expected_iam_request_headers = {
'Authorization': [
'{0} {1}'.format('AWS4-HMAC-SHA256',
', '.join(expected_auth_header_parts))
],
'Content-Length': ['43'],
'Content-Type':
['application/x-www-form-urlencoded; charset=utf-8'],
'Host': ['sts.amazonaws.com'],
'X-Amz-Date': ['20150830T123600Z'],
}
actual_iam_request_headers = json.loads(
b64decode(actual_params['iam_request_headers']))
self.assertEqual(expected_iam_request_headers,
actual_iam_request_headers)
actual_iam_request_body = b64decode(
actual_params['iam_request_body']).decode('utf-8')
self.assertEqual('Action=GetCallerIdentity&Version=2011-06-15',
actual_iam_request_body)
actual_role = actual_params['role']
self.assertEqual('', actual_role)
def test_create_role_custom_secret_id(self, test_label, mount_point,
role_name, secret_id,
requests_mocker):
expected_status_code = 200
mock_response = {
"auth": None,
"data": {
"secret_id": secret_id,
"secret_id_accessor": "f5cb4b7d-9111-320e-6f24-73bf45d3845d"
},
"lease_duration": 0,
"lease_id": "",
"renewable": False,
"request_id": "e7c8b2e1-95e8-cb17-e98a-6c428201f1d5",
"warnings": None,
"wrap_info": None
}
mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}/custom-secret-id'.format(
'approle' if mount_point is None else mount_point,
role_name,
)
requests_mocker.register_uri(
method='POST',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
client = Client()
if mount_point is None:
actual_response = client.create_role_custom_secret_id(
role_name=role_name,
secret_id=secret_id,
)
else:
actual_response = client.create_role_custom_secret_id(
role_name=role_name,
secret_id=secret_id,
mount_point=mount_point,
)
self.assertEquals(
first=mock_response,
second=actual_response,
)
def test_list_role_secrets(self, test_label, mount_point, role_name, secret_id, requests_mocker):
expected_status_code = 200
mock_response = {
"auth": None,
"data": {
"keys": [
secret_id
]
},
"lease_duration": 0,
"lease_id": "",
"renewable": False,
"request_id": "eb805845-f6ce-a514-9238-6914664dd601",
"warnings": None,
"wrap_info": None
}
mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}/secret-id'.format(
'approle' if mount_point is None else mount_point,
role_name,
)
requests_mocker.register_uri(
method='LIST',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
client = Client()
if mount_point is None:
actual_response = client.list_role_secrets(
role_name=role_name,
)
else:
actual_response = client.list_role_secrets(
role_name=role_name,
mount_point=mount_point,
)
self.assertEquals(
first=mock_response,
second=actual_response,
)
def test_auth_kubernetes(self, test_label, test_role, test_jwt,
mount_point, requests_mocker):
mock_response = {
'auth': {
'accessor': 'accessor-1234-5678-9012-345678901234',
'client_token': 'cltoken-1234-5678-9012-345678901234',
'lease_duration': 10000,
'metadata': {
'role': 'custom_role',
'service_account_name': 'vault-auth',
'service_account_namespace': 'default',
'service_account_secret_name': 'vault-auth-token-pd21c',
'service_account_uid':
'aa9aa8ff-98d0-11e7-9bb7-0800276d99bf'
},
'policies': ['default', 'custom_role'],
'renewable': True
},
'data': None,
'lease_duration': 0,
'lease_id': '',
'renewable': False,
'request_id': 'requesti-1234-5678-9012-345678901234',
'warnings': [],
'wrap_info': None
}
mock_url = 'http://localhost:8200/v1/auth/{0}/login'.format(
'kubernetes' if mount_point is None else mount_point)
requests_mocker.register_uri(method='POST',
url=mock_url,
json=mock_response)
client = Client()
test_arguments = dict(
role=test_role,
jwt=test_jwt,
)
if mount_point:
test_arguments['mount_point'] = mount_point
actual_response = client.auth_kubernetes(**test_arguments)
# ensure we received our mock response data back successfully
self.assertEqual(mock_response, actual_response)
def __init__(self, connection_config) -> None:
'''
Args:
connection_config (Dict):
Parameters required to connect to the Vault
'''
try:
token = os.environ[connection_config['token_env']]
except KeyError as error:
raise SecretsException(
'Token environment variable missing: {}'.format(error)
)
self._client = Client(
url=connection_config['url'],
token=token
)
if not self._client.is_authenticated():
raise SecretsException('Vault client authentication failed!')
else:
logging.debug('Sucessfully connected to Vault.')
def test_auth_ec2(self, test_label, mount_point, requests_mocker):
mock_response = {
'auth': {
'accessor': 'accessor-1234-5678-9012-345678901234',
'client_token': 'cltoken-1234-5678-9012-345678901234',
'lease_duration': 10000,
'metadata': {
'account_id': '12345678912',
'ami_id': 'ami-someami',
'instance_id': 'i-instanceid',
'nonce': 'thenonce-1234-5678-9012-345678901234',
'region': 'us-east-1',
'role': 'custom_role',
'role_tag_max_ttl': '0s'
},
'policies': ['default', 'custom_role'],
'renewable': True
},
'data': None,
'lease_duration': 0,
'lease_id': '',
'renewable': False,
'request_id': 'requesti-1234-5678-9012-345678901234',
'warnings': [],
'wrap_info': None
}
mock_url = 'http://localhost:8200/v1/auth/{0}/login'.format(
'aws-ec2' if mount_point is None else mount_point)
requests_mocker.register_uri(method='POST',
url=mock_url,
json=mock_response)
client = Client()
if mount_point is None:
actual_response = client.auth_ec2(pkcs7='mock_pcks7')
else:
actual_response = client.auth_ec2(pkcs7='mock_pcks7',
mount_point=mount_point)
# ensure we received our mock response data back successfully
self.assertEqual(mock_response, actual_response)
def test_create_role_secret_id(self, test_label, mount_point, role_name,
requests_mocker):
expected_status_code = 200
mock_response = {
"auth": None,
"data": {
"secret_id": "be78e3ca-f644-b099-3291-e8a6f5985cfe",
"secret_id_accessor": "b58fd0ee-130c-33bb-5f69-6d4fd1731e5f"
},
"lease_duration": 0,
"lease_id": "",
"renewable": False,
"request_id": "2310dc21-0fea-a2de-2d94-bb4edd59f1e9",
"warnings": None,
"wrap_info": None
}
mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}/secret-id'.format(
'approle' if mount_point is None else mount_point,
role_name,
)
requests_mocker.register_uri(
method='POST',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
client = Client()
if mount_point is None:
actual_response = client.create_role_secret_id(
role_name=role_name, )
else:
actual_response = client.create_role_secret_id(
role_name=role_name,
mount_point=mount_point,
)
self.assertEquals(
first=mock_response,
second=actual_response,
)
def test_read_lease(self, test_label, test_lease_id, requests_mocker):
test_path = 'http://localhost:8200/v1/sys/leases/lookup'
mock_response = {
'issue_time': '2018-07-15T08:35:34.775859245-05:00',
'renewable': False,
'id': test_lease_id,
'ttl': 259199,
'expire_time': '2018-07-18T08:35:34.00004241-05:00',
'last_renewal': None
}
requests_mocker.register_uri(
method='PUT',
url=test_path,
json=mock_response,
)
client = Client()
response = client.read_lease(lease_id=test_lease_id, )
self.assertEquals(
first=mock_response,
second=response,
)
def test_auth_gcp(self, test_label, test_role, test_jwt, mount_point,
requests_mocker):
mock_response = {
'auth': {
'accessor': 'accessor-1234-5678-9012-345678901234',
'client_token': 'cltoken-1234-5678-9012-345678901234',
'lease_duration': 10000,
'metadata': {
'role': 'custom_role',
'service_account_email':
'*****@*****.**',
'service_account_id': '111111111111111111111'
},
'policies': ['default', 'custom_role'],
'renewable': True
},
'data': None,
'lease_duration': 0,
'lease_id': '',
'renewable': False,
'request_id': 'requesti-1234-5678-9012-345678901234',
'warnings': [],
'wrap_info': None
}
mock_url = 'http://localhost:8200/v1/auth/{0}/login'.format(
'gcp' if mount_point is None else mount_point)
requests_mocker.register_uri(method='POST',
url=mock_url,
json=mock_response)
client = Client()
if mount_point is None:
actual_response = client.auth_gcp(role=test_role, jwt=test_jwt)
else:
actual_response = client.auth_gcp(role=test_role,
jwt=test_jwt,
mount_point=mount_point)
# ensure we received our mock response data back successfully
self.assertEqual(mock_response, actual_response)
def test_get_role_id(self, test_label, mount_point, role_name, role_id, requests_mocker):
expected_status_code = 200
mock_response = {
"auth": None,
"data": {
"role_id": role_id
},
"lease_duration": 0,
"lease_id": "",
"renewable": False,
"request_id": "85590a1a-6dd7-de79-01b0-1c285d505bf2",
"warnings": None,
"wrap_info": None
}
mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}/role-id'.format(
'approle' if mount_point is None else mount_point,
role_name,
)
requests_mocker.register_uri(
method='GET',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
client = Client()
if mount_point is None:
actual_response = client.get_role_id(
role_name=role_name
)
else:
actual_response = client.get_role_id(
role_name=role_name,
mount_point=mount_point
)
# ensure we received our mock response data back successfully
self.assertEqual(
first=role_id,
second=actual_response
)
def test_list_ec2_roles(self, test_label, mount_point, requests_mocker):
mock_response = {"data": {"keys": ["dev-role", "prod-role"]}}
expected_status_code = 200
mock_url = 'http://localhost:8200/v1/auth/{0}/roles?list=true'.format(
'aws-ec2' if mount_point is None else mount_point, )
requests_mocker.register_uri(
method='GET',
url=mock_url,
json=mock_response,
status_code=expected_status_code,
)
client = Client()
if mount_point is None:
actual_response = client.list_ec2_roles()
else:
actual_response = client.list_ec2_roles(mount_point=mount_point)
self.assertEqual(
first=mock_response,
second=actual_response,
)
def test_get_kubernetes_configuration(self, test_label, mount_point,
requests_mocker):
expected_status_code = 200
mock_response = {
'auth': None,
'data': {
'kubernetes_ca_cert': '',
'kubernetes_host': '127.0.0.1:80',
'pem_keys': ['some key'],
'token_reviewer_jwt': ''
},
'lease_duration': 0,
'lease_id': '',
'renewable': False,
'request_id': '12687b5f-b4f5-2ba4-aae2-2a8d7e53ca55',
'warnings': None,
'wrap_info': None
}
mock_url = 'http://localhost:8200/v1/auth/{0}/config'.format(
'kubernetes' if mount_point is None else mount_point, )
requests_mocker.register_uri(
method='GET',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
client = Client()
test_arguments = dict()
if mount_point:
test_arguments['mount_point'] = mount_point
actual_response = client.get_kubernetes_configuration(**test_arguments)
self.assertEquals(
first=mock_response,
second=actual_response,
)
def test_delete_vault_ec2_client_configuration(self, test_label,
mount_point,
requests_mocker):
expected_status_code = 204
mock_url = 'http://localhost:8200/v1/auth/{0}/config/client'.format(
'aws-ec2' if mount_point is None else mount_point)
requests_mocker.register_uri(
method='DELETE',
url=mock_url,
status_code=expected_status_code,
)
client = Client()
if mount_point is None:
actual_response = client.delete_vault_ec2_client_configuration()
else:
actual_response = client.delete_vault_ec2_client_configuration(
mount_point=mount_point)
self.assertEqual(
first=expected_status_code,
second=actual_response.status_code,
)
def test_get_auth_backend_tuning(self, requests_mocker):
expected_status_code = 200
test_backend_type = 'approle'
test_mount_point = 'approle-test'
mock_response = {
'max_lease_ttl': 12345678,
'lease_id': '',
'force_no_cache': False,
'warnings': None,
'data': {
'force_no_cache': False,
'default_lease_ttl': 2764800,
'max_lease_ttl': 12345678
},
'wrap_info': None,
'auth': None,
'lease_duration': 0,
'request_id': '673f2336-3235-b988-2194-c68261a02bfe',
'default_lease_ttl': 2764800,
'renewable': False
}
requests_mocker.register_uri(
method='GET',
url='http://localhost:8200/v1/sys/auth/{0}/tune'.format(test_mount_point),
status_code=expected_status_code,
json=mock_response
)
client = Client()
actual_response = client.get_auth_backend_tuning(
backend_type=test_backend_type,
mount_point=test_mount_point,
)
self.assertEqual(
first=mock_response,
second=actual_response,
)
def main():
logger.info("Trying to login with Token")
logger.debug("Debug enabled")
try:
client = Client(
url=os.environ['VAULT_ADDR'],
token=os.environ['VAULT_TOKEN']
)
client.is_authenticated()
except Exception as err:
logger.exception("Token Login failed: %s", err)
exit(2)
transit = Transit(client=client, encryption_key='backup', mount='transit')
kv = KVstore(client, cfg['kv_path'], transit=transit)
data = kv.get_base_folder()
write_to_disk(cfg['out_file'], data)
logger.info(f"Finished encrypting and writting data to {cfg['out_file']}")
exported_key = transit.backup_key()
write_to_disk(cfg['backup_key'], exported_key)
logger.info(f"Finished encrypting and writting data to {cfg['backup_key']}")
def test_delete_kubernetes_role(self, test_label, mount_point, role_name,
requests_mocker):
expected_status_code = 204
mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}'.format(
'kubernetes' if mount_point is None else mount_point,
role_name,
)
requests_mocker.register_uri(
method='DELETE',
url=mock_url,
status_code=expected_status_code,
)
client = Client()
test_arguments = dict(role=role_name, )
if mount_point:
test_arguments['mount_point'] = mount_point
actual_response = client.delete_kubernetes_role(**test_arguments)
self.assertEquals(
first=expected_status_code,
second=actual_response.status_code,
)
def test_create_ec2_role(self, test_label, mount_point, role_name,
requests_mocker):
expected_status_code = 204
mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}'.format(
'aws-ec2' if mount_point is None else mount_point,
role_name,
)
requests_mocker.register_uri(
method='POST',
url=mock_url,
status_code=expected_status_code,
)
client = Client()
if mount_point is None:
actual_response = client.create_ec2_role(role=role_name)
else:
actual_response = client.create_ec2_role(role=role_name,
mount_point=mount_point)
self.assertEqual(
first=expected_status_code,
second=actual_response.status_code,
)
def __init__(self):
'''[summary]
Initializes and unseals the Vault
[description]
Initializes the Vault, if it has not been initialized yet and unseals it.
'''
# The Borg Singleton
self.__dict__ = self.__shared_state
if not self.client:
self._logger = logging.getLogger('flask.app')
self._logger.info('Initializing Vault @ %s .', VAULT_URL)
self.client = Client(url=VAULT_URL)
if self._is_vault_initialized():
self._logger.info('Vault already initalized.')
self._load_keys()
else:
vault = self._init_vault()
self._token = vault['root_token']
self._unseal_keys = vault['keys']
self._logger.info('Vault initalized.')
self._save_keys()
self.client.token = self._token
self._logger.info('Unsealing Vault.')
self._unseal_vault()
self._logger.info('Vault unsealed.')
def create_client(**kwargs):
return Client(url='https://localhost:8200',
cert=('test/client-cert.pem', 'test/client-key.pem'),
verify='test/server-cert.pem',
**kwargs)
#!/usr/bin/env python import os from hvac import Client from tools.vault import * CURRENT_DIR = os.path.dirname(os.path.realpath(__file__)) SETTINGS_FILE = os.path.join(CURRENT_DIR, '.vault-init.json') vault = Client(url="https://localhost:8200", verify="ssl/certs/ca.pem") vault_settings = load_vault_keys(SETTINGS_FILE) unseal_vault(vault, vault_settings)
def create_client(**kwargs):
return Client(**kwargs)