AWS
Configure Root IAM Credentials
Source reference: hvac.api.secrets_engines.Aws.configure_root_iam_credentials()
import os
import hvac
client = hvac.Client()
client.secrets.aws.configure_root_iam_credentials(
access_key=os.getenv('AWS_ACCESS_KEY_ID'),
secret_key=os.getenv('AWS_SECRET_ACCESS_KEY'),
)
Rotate Root IAM Credentials
Source reference: hvac.api.secrets_engines.Aws.rotate_root_iam_credentials()
import hvac
client = hvac.Client()
client.secrets.aws.rotate_root_iam_credentials()
Configure Lease
Source reference: hvac.api.secrets_engines.Aws.configure_lease()
import hvac
client = hvac.Client()
# Set the default least TTL to 300 seconds / 5 minutes
client.secrets.aws.configure_lease(
lease='300s',
)
Read Lease
Source reference: hvac.api.secrets_engines.Aws.read_lease()
import hvac
client = hvac.Client()
read_lease_response = client.secrets.aws.read_lease()
print('The current "lease_max" TTL is: {lease_max}'.format(
lease_max=read_lease_response['data']['lease_max'],
))
Create or Update Role
Source reference: hvac.api.secrets_engines.Aws.create_or_update_role()
import hvac
client = hvac.Client()
describe_ec2_policy_doc = {
'Version': '2012-10-17',
'Statement': [
{
'Resource': '*'
'Action': 'ec2:Describe*',
'Effect': 'Allow',
},
],
}
client.secrets.aws.create_or_update_role(
name='hvac-role',
credential_type='assumed_role',
policy_document=describe_ec2_policy_doc,
policy_arns=['arn:aws:iam::aws:policy/AmazonVPCReadOnlyAccess'],
)
Legacy Parameters
Note
In previous versions of Vault (before version 0.11.0), this API route only supports the policy_document and policy_arns parameters (which hvac will translate to policy and arn parameters respectively in the request sent to Vault). If running these versions of Vault, the legacy_params parameter on this method can be set to True.
For older versions of Vault (any version before 0.11.0):
import hvac
client = hvac.Client()
describe_ec2_policy_doc = {
'Version': '2012-10-17',
'Statement': [
{
'Resource': '*'
'Action': 'ec2:Describe*',
'Effect': 'Allow',
},
],
}
# Note: with the legacy params, the `policy_arns` parameter is translated to `arn`
# in the request sent to Vault and only one ARN is accepted. If a list is provided,
# hvac will only use the first ARN in the list.
client.secrets.aws.create_or_update_role(
name='hvac-role',
credential_type='assumed_role',
policy_document=describe_ec2_policy_doc,
policy_arns='arn:aws:iam::aws:policy/AmazonVPCReadOnlyAccess',
legacy_params=True,
)
Read Role
Source reference: hvac.api.secrets_engines.Aws.read_role()
import hvac
client = hvac.Client()
read_role_response = client.secrets.aws.read_role(
name='hvac-role',
)
print('The credential type for role "hvac-role" is: {cred_type}'.format(
cred_type=read_role_response['data']['credential_types'],
))
List Roles
Source reference: hvac.api.secrets_engines.Aws.list_roles()
import hvac
client = hvac.Client()
list_roles_response = client.secrets.aws.list_roles()
print('AWS secrets engine role listing: {roles}'.format(
roles=', '.join(list_roles_response['data']['keys'])
))
Delete Role
Source reference: hvac.api.secrets_engines.Aws.delete_role()
import hvac
client = hvac.Client()
client.secrets.aws.delete_role(
name='hvac-role',
)
Generate Credentials
Source reference: hvac.api.secrets_engines.Aws.generate_credentials()
import hvac
client = hvac.Client()
gen_creds_response = client.secrets.aws.generate_credentials(
name='hvac-role',
)
print('Generated access / secret keys: {access} / {secret}'.format(
access=gen_creds_response['data']['access_key'],
secret=gen_creds_response['data']['secret_key'],
))