ConnectorTypeVAULT
class connector_types.connector_type_vault.ConnectorTypeVAULT
Interact with HashiCorp Vault
Currently, only the Key-Value engine is supported.
For the KV engine, version 2 secrets the secret_path needs to be prefixed with data/
Input Schema
-
schema_version
Type:
string
-
authentication
Type:
anyOf
Options: -
scheme
The scheme to use.
Type:
anyOf
Options: -
host
The remote hostname or IP address.
Type:
string
-
port
Type:
anyOf
Options: -
path
The path of the Vault server.
Type:
string
Default:
/
-
tls
If to connect using TLS/SSL.
Type:
anyOf
Options: -
secret_engine
Type:
anyOf
Options:Default:
Key-Value version 2 (kv-v2) engine
-
allow_redirects
If set to
True
redirects are followed and the response of the last non-redirect request is returned.If set to
False
redirects are not followed and the response of the first request is returned.Type:
boolean
Default:
True
-
max_redirects
Maximum number of redirects to follow.
Type:
integer
Default:
10
-
total_timeout
Total timeout for the request in seconds.
Type:
integer
Default:
30
-
connect_timeout
A timeout for connecting to a peer in seconds.
Type:
integer
Default:
30
-
read_timeout
A timeout for reading a portion of data from a peer in seconds.
Type:
integer
Default:
30
Output Schema
Example
import flow_api
def handler(system: flow_api.System, this: flow_api.Execution, inputs: dict):
# create a secret using token authentication
this.connect(
connector_type='VAULT',
authentication={
'authentication_method': 'token',
'token': '...',
},
host='...',
secret_engine={
'engine_type': 'kv',
'engine_path': '...',
'mode': {
'mode_name': 'upsert',
'secret_path': '...',
'data': {
'...': '...',
}.
},
},
)
# read a KV-V2 secret using username and password authentication
secret_value = this.connect(
connector_type='VAULT',
authentication={
'authentication_method': 'username_password',
'username': '...',
'password': '...',
},
scheme='http',
host='...',
port={
'port_mode': 'port_number',
'port_number': 8080,
},
secret_engine={
'engine_type': 'kv-v2',
'engine_path': '...',
'mode': {
'mode_name': 'read',
'secret_path': '...',
'version': 2, # without a version being specified the latest version is read
},
},
).get('output_value')['result']['data']['data']
this.log(secret_value=secret_value)
# destroy all versions of secret using client certificate authentication
this.connect(
connector_type='VAULT',
authentication={
'authentication_method': 'certificate',
},
host='...',
tls={
'client_cert': '...',
'client_key': '...',
},
secret_engine={
'engine_type': 'kv-v2',
'engine_path': '...',
'mode': {
'mode_name': 'delete_metadata',
},
},
)
return this.success('all done')