帮酷LOGO
  • 显示原文与译文双语对照的内容
:lock: Python 2/3 client for HashiCorp Vault

  • 源代码名称:hvac
  • 源代码网址:http://www.github.com/ianunruh/hvac
  • hvac源代码文档
  • hvac源代码下载
  • Git URL:
    git://www.github.com/ianunruh/hvac.git
  • Git Clone代码到本地:
    git clone http://www.github.com/ianunruh/hvac
  • Subversion代码到本地:
    $ svn co --depth empty http://www.github.com/ianunruh/hvac
    Checked out revision 1.
    $ cd repo
    $ svn up trunk
  • HVAC

    HashiCorpVault python 2/3的API客户端

    Travis CILatest Version

    Tested v0.1.2和头部测试。 要求v0.1.2或者更高版本。

    正在启动

    安装

    pip install hvac

    或者

    pip install "hvac[parser]"

    如果你希望能够返回解析的HCL数据作为支持它的方法的python dict 。

    初始化客户端

    import osimport hvac# Using plaintextclient = hvac.Client()
    client = hvac.Client(url='http://localhost:8200')
    client = hvac.Client(url='http://localhost:8200', token=os.environ['VAULT_TOKEN'])# Using TLSclient = hvac.Client(url='https://localhost:8200')# Using TLS with client-side certificate authenticationclient = hvac.Client(url='https://localhost:8200',
     cert=('path/to/cert.pem', 'path/to/key.pem'))

    对秘密后端进行读写

    client.write('secret/foo', baz='bar', lease='1h')print(client.read('secret/foo'))
    client.delete('secret/foo')

    对不同授权后端进行身份验证

    # Tokenclient.token ='MY_TOKEN'assert client.is_authenticated() # => True# App IDclient.auth_app_id('MY_APP_ID', 'MY_USER_ID')# App Roleclient.auth_approle('MY_ROLE_ID', 'MY_SECRET_ID')# AWS (IAM)client.auth_aws_iam('MY_AWS_ACCESS_KEY_ID', 'MY_AWS_SECRET_ACCESS_KEY')
    client.auth_aws_iam('MY_AWS_ACCESS_KEY_ID', 'MY_AWS_SECRET_ACCESS_KEY', 'MY_AWS_SESSION_TOKEN')
    client.auth_aws_iam('MY_AWS_ACCESS_KEY_ID', 'MY_AWS_SECRET_ACCESS_KEY', role='MY_ROLE')import boto3
    session = boto3.Session()
    credentials = session.get_credentials()
    client.auth_aws_iam(credentials.access_key, credentials.secret_key, credentials.token)# GitHubclient.auth_github('MY_GITHUB_TOKEN')# LDAP, Username & Passwordclient.auth_ldap('MY_USERNAME', 'MY_PASSWORD')
    client.auth_userpass('MY_USERNAME', 'MY_PASSWORD')# TLSclient = Client(cert=('path/to/cert.pem', 'path/to/key.pem'))
    client.auth_tls()# Non-default mount point (available on all auth types)client.auth_userpass('MY_USERNAME', 'MY_PASSWORD', mount_point='CUSTOM_MOUNT_POINT')# Authenticating without changing to new token (available on all auth types)result = client.auth_github('MY_GITHUB_TOKEN', use_token=False)print(result['auth']['client_token']) # => u'NEW_TOKEN'# Custom or unsupported auth typeparams = {
     'username': 'MY_USERNAME',
     'password': 'MY_PASSWORD',
     'custom_param': 'MY_CUSTOM_PARAM',
    }
    result = client.auth('/v1/auth/CUSTOM_AUTH/login', json=params)# Logoutclient.logout()

    管理令牌

    token = client.create_token(policies=['root'], lease='1h')
    current_token = client.lookup_token()
    some_other_token = client.lookup_token('xxx')
    client.revoke_token('xxx')
    client.revoke_token('yyy', orphan=True)
    client.revoke_token_prefix('zzz')
    client.renew_token('aaa')

    使用访问器管理令牌

    token = client.create_token(policies=['root'], lease='1h')
    token_accessor = token['auth']['accessor']
    same_token = client.lookup_token(token_accessor, accessor=True)
    client.revoke_token(token_accessor, accessor=True)

    包装/展开标记

    wrap = client.create_token(policies=['root'], lease='1h', wrap_ttl='1m')
    result =self.client.unwrap(wrap['wrap_info']['token'])

    操作认证后端

    backends = client.list_auth_backends()
    client.enable_auth_backend('userpass', mount_point='customuserpass')
    client.disable_auth_backend('github')

    操作秘密后端

    backends = client.list_secret_backends()
    client.enable_secret_backend('aws', mount_point='aws-us-east-1')
    client.disable_secret_backend('mysql')
    client.tune_secret_backend('generic', mount_point='test', default_lease_ttl='3600s', max_lease_ttl='8600s')
    client.get_secret_backend_tuning('generic', mount_point='test')
    client.remount_secret_backend('aws-us-east-1', 'aws-east')

    操作策略

    policies = client.list_policies() # => ['root']policy ="""path"sys" { policy ="deny"}path"secret" { policy ="write"}path"secret/foo" { policy ="read"}"""client.set_policy('myapp', policy)
    client.delete_policy('oldthing')
    policy = client.get_policy('mypolicy')# Requires pyhcl to automatically parse HCL into a Python dictionarypolicy = client.get_policy('mypolicy', parse=True)

    操作审计后端

    backends = client.list_audit_backends()
    options = {
     'path': '/tmp/vault.log',
     'log_raw': True,
    }
    client.enable_audit_backend('file', options=options, name='somefile')
    client.disable_audit_backend('oldfile')

    初始化和密封/解锁

    print(client.is_initialized()) # => Falseshares =5threshold =3result = client.initialize(shares, threshold)
    root_token = result['root_token']
    keys = result['keys']print(client.is_initialized()) # => Trueprint(client.is_sealed()) # => True# unseal with individual keysclient.unseal(keys[0])
    client.unseal(keys[1])
    client.unseal(keys[2])# unseal with multiple keys until threshold metclient.unseal_multi(keys)print(client.is_sealed()) # => Falseclient.seal()print(client.is_sealed()) # => True

    测试

    集成测试将在后台自动启动Vault服务器。 请确保你的PATH 中有最新的vault 二进制文件。

    欢迎使用附加功能或者改进来打开请求请求 !




    Copyright © 2011 HelpLib All rights reserved.    知识分享协议 京ICP备05059198号-3  |  如果智培  |  酷兔英语