Skip to main content
Version: 11 - TBD

ConnectorTypeVAULT

class connector_types.connector_type_vault.ConnectorTypeVAULT

Interact with HashiCorp Vault

Currently, only the Key-Value engine is supported.

For the KV engine, version 2 secrets the secret_path needs to be prefixed with data/

Input Schema

  • schema_version

    Type: string

  • authentication

    Type: anyOf

  • scheme

    The scheme to use.

    Type: anyOf

  • host

    The remote hostname or IP address.

    Type: string

  • port

    Type: anyOf

  • path

    The path of the Vault server.

    Type: string

    Default: /

  • tls

    If to connect using TLS/SSL.

    Type: anyOf

  • secret_engine

    Type: anyOf

    Default: Key-Value version 2 (kv-v2) engine

  • allow_redirects

    If set to True redirects are followed and the response of the last non-redirect request is returned.

    If set to False redirects are not followed and the response of the first request is returned.

    Type: boolean

    Default: True

  • max_redirects

    Maximum number of redirects to follow.

    Type: integer

    Default: 10

  • total_timeout

    Total timeout for the request in seconds.

    Type: integer

    Default: 30

  • connect_timeout

    A timeout for connecting to a peer in seconds.

    Type: integer

    Default: 30

  • read_timeout

    A timeout for reading a portion of data from a peer in seconds.

    Type: integer

    Default: 30

Output Schema

  • status_code

    Type: integer

  • result

    Type: anyOf

Example

import flow_api

def handler(system: flow_api.System, this: flow_api.Execution, inputs: dict):
    # create a secret using token authentication
    this.connect(
        connector_type='VAULT',
        authentication={
            'authentication_method': 'token',
            'token': '...',
        },
        host='...',
        secret_engine={
            'engine_type': 'kv',
            'engine_path': '...',
            'mode': {
                'mode_name': 'upsert',
                'secret_path': '...',
                'data': {
                    '...': '...',
                }.
            },
        },
    )

    # read a KV-V2 secret using username and password authentication
    secret_value = this.connect(
        connector_type='VAULT',
        authentication={
            'authentication_method': 'username_password',
            'username': '...',
            'password': '...',
        },
        scheme='http',
        host='...',
        port={
            'port_mode': 'port_number',
            'port_number': 8080,
        },
        secret_engine={
            'engine_type': 'kv-v2',
            'engine_path': '...',
            'mode': {
                'mode_name': 'read',
                'secret_path': '...',
                'version': 2,  # without a version being specified the latest version is read
            },
        },
    ).get('output_value')['result']['data']['data']
    this.log(secret_value=secret_value)

    # destroy all versions of secret using client certificate authentication
    this.connect(
        connector_type='VAULT',
        authentication={
            'authentication_method': 'certificate',
        },
        host='...',
        tls={
            'client_cert': '...',
            'client_key': '...',
        },
        secret_engine={
            'engine_type': 'kv-v2',
            'engine_path': '...',
            'mode': {
                'mode_name': 'delete_metadata',
            },
        },
    )

    return this.success('all done')