Skip to main content

Integrates anyconfig with the HVAC Vault client to mix Vault secrets into configuration file contents.

Project description

VaultAnyconfig

Extends the HVAC Hashicorp Vault Client with the load and dump functionality from anyconfig. This allows automatic mixing in of secrets from Vault, allowing you to store a configuration file with all details populated save for secrets, and then access Hashicorp Vault to load the secrets into the in-memory dictionary.

Files and Formatting

There are three configuration files, which can be stored in one, two or three files total as long as they are correctly written.

Examples in this section will be in JSON, but any file format supported by anyconfig can be used.

Vault Configuration File

This configures the connection to the Vault, and must contain at least one member (usually the url parameter). If this section is not provided or is left empty, then the Vault instance will not be configured, and instead only the anyconfig functionality will be used.

The section must be named vault_config, and can contain any of the parameters valid for initializing an HVAC client.

Example:

{
    "vault_config": {
        "url": "https://vault.acme.com:8200"
    }
}

Vault Authentication File

This provides authentication for use with the auth_from_file method, and must be named vault_creds. It should contain a member named auth_method which should correspond with one of the auth method from the HVAC Client (without the "auth_" prefix), e.g. approle. The remaining members should match the parameters for the specified auth method.

Example:

{
    "vault_creds": {
        "role_id": "sample-role-id",
        "secret_id": "sample-secret-id",
        "auth_method": "approle"
    }
}

Main Configuration File

The main configuration file should consist of the configuration sections you need without the secrets included (unless passthrough mode is desired) and a section named vault_secrets. In the vault_secrets section, the keys are dot separated paths for the keys to insert into your configuration, and the values are the path to the secret in Vault. Note as well, the key for the secret in Vault must match the name of the key you are inserting into your configuration.

Raw Config Example:

{
    "acme": {
        "host": "http://acme.com",
        "site-name": "great products"
    },
    "vault_secrets": {
        "acme.user": "secret/acme/user",
        "acme.pwd": "secret/acme/user"
    }
}
Resulting Dictionary Example:
{
    "acme": {
        "host": "http://acme.com",
        "site-name": "great products",
        "user": "sample-user",
        "pwd": "sample-password"
    }
}

Guidance for Configuration Files

Although all three files can be combined into a single file, it is recommend that you separate out the vault_creds and vault_config sections into their own file(s) and use restrictive permissions on them, e.g. 400, since the secrets required to access Vault must be present in these files.

Usage

Initialization

VaultAnyconfig can be initalized in three ways (for two different modes):

  1. From a vault configuration file (see files and formatting)
  2. By specifying the parameters used in initializing an HVAC client.
  3. By providing no parameters (or a configuration file with an empty vault_config section) in which case it is in passthrough mode, where secrets are not loaded from Vault.

Authentication With Vault

You can use auth_from_file by providing a file as explained in the files and formatting section, or you can directly use the auth methods from the HVAC Client. If passthrough mode is set, auth_from_file will always return true, but the HVAC client methods will fail, so it is recommended to use auth_from_file where possible.

Loading/Saving Files with Keys Inserted

Simply call the load, loads, dump or dumps methods as need. Invocation is the same as for directly calling the anyconfig methods.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

vault-anyconfig-0.0.3.tar.gz (8.0 kB view details)

Uploaded Source

File details

Details for the file vault-anyconfig-0.0.3.tar.gz.

File metadata

  • Download URL: vault-anyconfig-0.0.3.tar.gz
  • Upload date:
  • Size: 8.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.12.1 pkginfo/1.5.0.1 requests/2.21.0 setuptools/40.8.0 requests-toolbelt/0.9.1 tqdm/4.31.1 CPython/3.6.5

File hashes

Hashes for vault-anyconfig-0.0.3.tar.gz
Algorithm Hash digest
SHA256 7074ac78ffd04fe1e37889a7167c9faab25bdea9ccfa8b9afefe2b7f16651c37
MD5 1ac66404548b5d1fe82a2e3b14d869d8
BLAKE2b-256 fdbd8b9c4883863ab54ef1d67ffee1cdc90177c9dab4820b6625510488436195

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page