hvac.v1¶

Classes

Client([url, token, cert, verify, timeout, …])

The hvac Client class for HashiCorp’s Vault.

class hvac.v1.Client(url=None, token=None, cert=None, verify=None, timeout=30, proxies=None, allow_redirects=True, session=None, adapter=<class 'hvac.adapters.JSONAdapter'>, namespace=None, **kwargs)[source]¶

Bases: object

The hvac Client class for HashiCorp’s Vault.

Methods

`__init__`([url, token, cert, verify, …])	Creates a new hvac client instance.
`auth_cubbyhole`(token)	Perform a login request with a wrapped token.
`delete`(path)	DELETE /<path>
`get_policy`(name[, parse])	Retrieve the policy body for the named policy.
`is_authenticated`()	Helper method which returns the authentication status of the client
`list`(path)	GET /<path>?list=true
`login`(url[, use_token])	Perform a login request.
`logout`([revoke_token])	Clears the token used for authentication, optionally revoking it before doing so.
`lookup_token`([token, accessor, wrap_ttl])	GET /auth/token/lookup/<token>
`read`(path[, wrap_ttl])	GET /<path>
`renew_token`(token[, increment, wrap_ttl])	POST /auth/token/renew
`revoke_token`(token[, orphan, accessor])	POST /auth/token/revoke
`write`(path[, wrap_ttl])	POST /<path>

Attributes

`adapter`
`allow_redirects`
`auth`	Accessor for the Client instance’s auth methods.
`generate_root_status`
`ha_status`	Read the high availability status and current leader instance of Vault.
`key_status`	GET /sys/key-status
`rekey_status`
`seal_status`	Read the seal status of the Vault.
`secrets`	Accessor for the Client instance’s secrets engines.
`session`
`sys`	Accessor for the Client instance’s system backend methods.
`token`
`url`

__init__(url=None, token=None, cert=None, verify=None, timeout=30, proxies=None, allow_redirects=True, session=None, adapter=<class 'hvac.adapters.JSONAdapter'>, namespace=None, **kwargs)[source]¶

Creates a new hvac client instance.

Parameters

url (str) – Base URL for the Vault instance being addressed.
token (str) – Authentication token to include in requests sent to Vault.
cert (tuple) – Certificates for use in requests sent to the Vault instance. This should be a tuple with the certificate and then key.
verify (Union[bool,str]) – Either a boolean to indicate whether TLS verification should be performed when sending requests to Vault, or a string pointing at the CA bundle to use for verification. See http://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification.
timeout (int) – The timeout value for requests sent to Vault.
proxies (dict) – Proxies to use when performing requests. See: http://docs.python-requests.org/en/master/user/advanced/#proxies
allow_redirects (bool) – Whether to follow redirects when sending requests to Vault.
session (request.Session) – Optional session object to use when performing request.
adapter (hvac.adapters.Adapter) – Optional class to be used for performing requests. If none is provided, defaults to hvac.adapters.JSONRequest
kwargs (dict) – Additional parameters to pass to the adapter constructor.
namespace (str) – Optional Vault Namespace.

property adapter¶

property allow_redirects¶

property auth¶: Accessor for the Client instance’s auth methods. Provided via the hvac.api.AuthMethods class. :return: This Client instance’s associated Auth instance. :rtype: hvac.api.AuthMethods

auth_cubbyhole(token)[source]¶

Perform a login request with a wrapped token.

Stores the unwrapped token in the resulting Vault response for use by the hvac.adapters.Adapter(): instance under the _adapater Client attribute.

Parameters: token (str | unicode) – Wrapped token
Returns: The (JSON decoded) response of the auth request
Return type: dict

delete(path)[source]¶

DELETE /<path>

Parameters: path –
Returns
Return type

property generate_root_status¶

get_policy(name, parse=False)[source]¶

Retrieve the policy body for the named policy.

Parameters

name (str | unicode) – The name of the policy to retrieve.
parse (bool) – Specifies whether to parse the policy body using pyhcl or not.

Returns

The (optionally parsed) policy body for the specified policy.

Return type

str | dict

property ha_status¶

Read the high availability status and current leader instance of Vault.

Returns: The JSON response returned by read_leader_status()
Return type: dict

is_authenticated()[source]¶

Helper method which returns the authentication status of the client

Returns
Return type

property key_status¶

GET /sys/key-status

Returns: Information about the current encryption key used by Vault.
Return type: dict

list(path)[source]¶

GET /<path>?list=true

Parameters: path –
Returns
Return type

login(url, use_token=True, **kwargs)[source]¶

Perform a login request.

Associated request is typically to a path prefixed with “/v1/auth”) and optionally stores the client token sent: in the resulting Vault response for use by the hvac.adapters.Adapter() instance under the _adapater Client attribute.

Parameters

url (str | unicode) – Path to send the authentication request to.
use_token (bool) – if True, uses the token in the response received from the auth request to set the “token” attribute on the the hvac.adapters.Adapter() instance under the _adapater Client attribute.
kwargs (dict) – Additional keyword arguments to include in the params sent with the request.

Returns

The response of the auth request.

Return type

requests.Response

logout(revoke_token=False)[source]¶

Clears the token used for authentication, optionally revoking it before doing so.

Parameters: revoke_token –
Returns
Return type

lookup_token(token=None, accessor=False, wrap_ttl=None)[source]¶

GET /auth/token/lookup/<token>

GET /auth/token/lookup-accessor/<token-accessor>

GET /auth/token/lookup-self

Parameters

token (str.) –
accessor (str.) –
wrap_ttl (int.) –

Returns

Return type

read(path, wrap_ttl=None)[source]¶

GET /<path>

Parameters

path –
wrap_ttl –

Returns

Return type

property rekey_status¶

renew_token(token, increment=None, wrap_ttl=None)[source]¶

POST /auth/token/renew

POST /auth/token/renew-self

Parameters

token –
increment –
wrap_ttl –

Returns

Return type

For calls expecting to hit the renew-self endpoint please use the “renew_self_token” method instead

revoke_token(token, orphan=False, accessor=False)[source]¶

POST /auth/token/revoke

POST /auth/token/revoke-orphan

POST /auth/token/revoke-accessor

Parameters

token –
orphan –
accessor –

Returns

Return type

property seal_status¶

Read the seal status of the Vault.

This is an unauthenticated endpoint.

Supported methods:: GET: /sys/seal-status. Produces: 200 application/json

Returns: The JSON response of the request.
Return type: dict

property secrets¶

Accessor for the Client instance’s secrets engines. Provided via the hvac.api.SecretsEngines class.

Returns: This Client instance’s associated SecretsEngines instance.
Return type: hvac.api.SecretsEngines

property session¶

property sys¶

Accessor for the Client instance’s system backend methods. Provided via the hvac.api.SystemBackend class.

Returns: This Client instance’s associated SystemBackend instance.
Return type: hvac.api.SystemBackend

property token¶

property url¶

write(path, wrap_ttl=None, **kwargs)[source]¶

POST /<path>

Parameters

path –
wrap_ttl –
kwargs –

Returns

Return type