Legacy MFAο
Configure Legacy MFA Auth Method Settingsο
hvac.api.auth_methods.LegacyMfa.configure()
Note
The legacy/unsupported MFA auth method covered by this classβs configuration API route only supports integration with a subset of Vault auth methods. See the list of supported auth methods in this moduleβs "SUPPORTED_AUTH_METHODS" attribute
and/or the associated Vault LegacyMFA documentation for additional information.
import hvac
client = hvac.Client()
userpass_auth_path = 'some-userpass'
if '%s/' % userpass_auth_path not in vault_client.sys.list_auth_methods()['data']:
print('Enabling the userpass auth backend at mount_point: {path}'.format(
path=userpass_auth_path,
))
client.sys.enable_auth_method(
method_type='userpass',
path=userpass_auth_path,
)
client.auth.legacymfa.configure(
mount_point=userpass_auth_path,
)
Reading the Legacy MFA Auth Method Configurationο
hvac.api.auth_methods.LegacyMfa.read_configuration()
import hvac
client = hvac.Client()
mfa_configuration = client.auth.legacymfa.read_configuration()
print('The LegacyMFA auth method is configured with a MFA type of: {mfa_type}'.format(
mfa_type=mfa_configuration['data']['type']
)
Configure Duo LegacyMFA Type Access Credentialsο
hvac.api.auth_methods.LegacyMfa.configure_duo_access()
from getpass import getpass
import hvac
client = hvac.Client()
secret_key_prompt = 'Please enter the Duo access secret key to configure: '
duo_access_secret_key = getpass(prompt=secret_key_prompt)
client.auth.legacymfa.configure_duo_access(
mount_point=userpass_auth_path,
host='api-1234abcd.duosecurity.com',
integration_key='SOME_DUO_IKEY',
secret_key=duo_access_secret_key,
)
Configure Duo Legacy MFA Type Behaviorο
hvac.api.auth_methods.LegacyMfa.configure_duo_behavior()
import hvac
client = hvac.Client()
client.auth.legacymfa.configure_duo_behavior(
mount_point=userpass_auth_path,
username_format='%s@hvac.network',
)
Read Duo Legacy MFA Type Behaviorο
hvac.api.auth_methods.LegacyMfa.read_duo_behavior_configuration()
import hvac
client = hvac.Client()
duo_behavior_config = client.auth.legacymfa.read_duo_behavior_configuration(
mount_point=userpass_auth_path,
)
print('The Duo LegacyMFA behavior is configured with a username_format of: {username_format}'.format(
username_format=duo_behavior_config['data']['username_format'],
)
Authentication / Loginο
from getpass import getpass
import hvac
login_username = 'someuser'
password_prompt = 'Please enter your password for the userpass (with MFA) authentication backend: '
login_password = getpass(prompt=password_prompt)
passcode_prompt = 'Please enter your OTP for the userpass (with MFA) authentication backend: '
userpass_mfa_passcode = getpass(prompt=passcode_prompt)
client = hvac.Client()
# Here the mount_point parameter corresponds to the path provided when enabling the backend
client.auth.legacymfa.auth_userpass(
username=login_username,
password=login_password,
mount_point=userpass_auth_path,
passcode=userpass_mfa_passcode,
)
print(client.is_authenticated) # => True