Mountο
Manipulate secret backendsο
backends = client.sys.list_mounted_secrets_engines()['data']
client.sys.enable_secrets_engine('aws', path='aws-us-east-1')
client.sys.disable_secrets_engine('mysql')
client.sys.tune_mount_configuration(path='test', default_lease_ttl='3600s', max_lease_ttl='8600s')
client.sys.read_mount_configuration(path='test')
client.sys.move_backend('aws-us-east-1', 'aws-east')
List Mounted Secrets Enginesο
- Mount.list_mounted_secrets_engines()[source]
Lists all the mounted secrets engines.
- Supported methods:
POST: /sys/mounts. Produces: 200 application/json
- Returns:
JSON response of the request.
- Return type:
dict
Examplesο
import hvac
client = hvac.Client(url='https://127.0.0.1:8200')
secrets_engines_list = client.sys.list_mounted_secrets_engines()['data']
print('The following secrets engines are mounted: %s' % ', '.join(sorted(secrets_engines_list.keys())))
Example output:
The following secrets engines are mounted: cubbyhole/, identity/, secret/, sys/
Enable Secrets Engineο
- Mount.enable_secrets_engine(backend_type, path=None, description=None, config=None, plugin_name=None, options=None, local=False, seal_wrap=False, **kwargs)[source]
Enable a new secrets engine at the given path.
- Supported methods:
POST: /sys/mounts/{path}. Produces: 204 (empty body)
- Parameters:
backend_type (str | unicode) β The name of the backend type, such as βgithubβ or βtokenβ.
path (str | unicode) β The path to mount the method on. If not provided, defaults to the value of the βbackend_typeβ argument.
description (str | unicode) β A human-friendly description of the mount.
config (dict) β
Configuration options for this mount. These are the possible values:
default_lease_ttl: The default lease duration, specified as a string duration like β5sβ or β30mβ.
max_lease_ttl: The maximum lease duration, specified as a string duration like β5sβ or β30mβ.
force_no_cache: Disable caching.
plugin_name: The name of the plugin in the plugin catalog to use.
audit_non_hmac_request_keys: Comma-separated list of keys that will not be HMACβd by audit devices in the request data object.
audit_non_hmac_response_keys: Comma-separated list of keys that will not be HMACβd by audit devices in the response data object.
listing_visibility: Specifies whether to show this mount in the UI-specific listing endpoint. (βunauthβ or βhiddenβ)
passthrough_request_headers: Comma-separated list of headers to whitelist and pass from the request to the backend.
options (dict) β
Specifies mount type specific options that are passed to the backend.
version: <KV> The version of the KV to mount. Set to β2β for mount KV v2.
plugin_name (str | unicode) β Specifies the name of the plugin to use based from the name in the plugin catalog. Applies only to plugin backends.
local (bool) β <Vault enterprise only> Specifies if the auth method is a local only. Local auth methods are not replicated nor (if a secondary) removed by replication.
seal_wrap (bool) β <Vault enterprise only> Enable seal wrapping for the mount.
kwargs (dict) β All dicts are accepted and passed to vault. See your specific secret engine for details on which extra key-word arguments you might want to pass.
- Returns:
The response of the request.
- Return type:
requests.Response
Examplesο
import hvac
client = hvac.Client(url='https://127.0.0.1:8200')
client.sys.enable_secrets_engine(
backend_type='kv',
path='hvac-kv',
)
Disable Secrets Engineο
- Mount.disable_secrets_engine(path)[source]
Disable the mount point specified by the provided path.
- Supported methods:
DELETE: /sys/mounts/{path}. Produces: 204 (empty body)
- Parameters:
path (str | unicode) β Specifies the path where the secrets engine will be mounted. This is specified as part of the URL.
- Returns:
The response of the request.
- Return type:
requests.Response
Examplesο
import hvac
client = hvac.Client(url='https://127.0.0.1:8200')
client.sys.disable_secrets_engine(
path='hvac-kv',
)
Read Mount Configurationο
- Mount.read_mount_configuration(path)[source]
Read the given mountβs configuration.
Unlike the mounts endpoint, this will return the current time in seconds for each TTL, which may be the system default or a mount-specific value.
- Supported methods:
GET: /sys/mounts/{path}/tune. Produces: 200 application/json
- Parameters:
path (str | unicode) β Specifies the path where the secrets engine will be mounted. This is specified as part of the URL.
- Returns:
The JSON response of the request.
- Return type:
requests.Response
Examplesο
import hvac
client = hvac.Client(url='https://127.0.0.1:8200')
secret_backend_tuning = client.sys.read_mount_configuration(path='hvac-kv')
print('The max lease TTL for the "hvac-kv" backend is: {max_lease_ttl}'.format(
max_lease_ttl=secret_backend_tuning['data']['max_lease_ttl'],
))
Example output:
The max lease TTL for the "hvac-kv" backend is: 2764800
Tune Mount Configurationο
- Mount.tune_mount_configuration(path, default_lease_ttl=None, max_lease_ttl=None, description=None, audit_non_hmac_request_keys=None, audit_non_hmac_response_keys=None, listing_visibility=None, passthrough_request_headers=None, options=None, force_no_cache=None, **kwargs)[source]
Tune configuration parameters for a given mount point.
- Supported methods:
POST: /sys/mounts/{path}/tune. Produces: 204 (empty body)
- Parameters:
path (str | unicode) β Specifies the path where the secrets engine will be mounted. This is specified as part of the URL.
mount_point (str) β The path the associated secret backend is mounted
description (str) β Specifies the description of the mount. This overrides the current stored value, if any.
default_lease_ttl (int) β Default time-to-live. This overrides the global default. A value of 0 is equivalent to the system default TTL
max_lease_ttl (int) β Maximum time-to-live. This overrides the global default. A value of 0 are equivalent and set to the system max TTL.
audit_non_hmac_request_keys (list) β Specifies the comma-separated list of keys that will not be HMACβd by audit devices in the request data object.
audit_non_hmac_response_keys (list) β Specifies the comma-separated list of keys that will not be HMACβd by audit devices in the response data object.
listing_visibility (str) β Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are βunauthβ or ββ.
passthrough_request_headers (str) β Comma-separated list of headers to whitelist and pass from the request to the backend.
options (dict) β
Specifies mount type specific options that are passed to the backend.
version: <KV> The version of the KV to mount. Set to β2β for mount KV v2.
force_no_cache (bool) β Disable caching.
kwargs (dict) β All dicts are accepted and passed to vault. See your specific secret engine for details on which extra key-word arguments you might want to pass.
- Returns:
The response from the request.
- Return type:
request.Response
Examplesο
import hvac
client = hvac.Client(url='https://127.0.0.1:8200')
client.sys.tune_mount_configuration(
path='hvac-kv',
default_lease_ttl='3600s',
max_lease_ttl='8600s',
)
Move Backendο
- Mount.move_backend(from_path, to_path)[source]
Move an already-mounted backend to a new mount point.
- Supported methods:
POST: /sys/remount. Produces: 204 (empty body)
- Parameters:
from_path (str | unicode) β Specifies the previous mount point.
to_path (str | unicode) β Specifies the new destination mount point.
- Returns:
The response of the request.
- Return type:
requests.Response
Examplesο
import hvac
client = hvac.Client(url='https://127.0.0.1:8200')
client.sys.move_backend(
from_path='hvac-kv',
to_path='kv-hvac',
)