#!/usr/bin/env python3 # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import os import sys import hvac def hashicorp_vault_client(vault_namespace, vault_addr, vault_role_id, vault_secret_id, vault_token, vault_cacert): """Connect to a Vault sever and create a client. :param vault_namespace: Vault namespace (enterprise only). :param vault_addr: Address to connect to an existing Hashicorp Vault. :param vault_role_id: Role-ID to authenticate to Vault. This must be used in conjunction with --secret-id. :param vault_secret_id: Secret-ID to authenticate to Vault. This must be used in conjunction with --role-id. :param vault_token: Vault token to authenticate to Vault. :param vault_cacert: Path to CA certificate file. :returns: Hashicorp Vault Client (hvac.Client). """ if any([vault_role_id, vault_secret_id]): if vault_token: print("ERROR: Vault token cannot be used at the same time as " "role-id and secret-id") sys.exit(1) if not all([vault_role_id, vault_secret_id]): print("ERROR: role-id and secret-id must be provided together") sys.exit(1) elif not vault_token: print("ERROR: You must provide either a Vault token or role-id and " "secret-id") sys.exit(1) # Authenticate to Hashicorp Vault if vault_cacert != "": os.environ['REQUESTS_CA_BUNDLE'] = vault_cacert if vault_token != "": # nosec client = hvac.Client(url=vault_addr, token=vault_token, namespace=vault_namespace) else: client = hvac.Client(url=vault_addr, namespace=vault_namespace) client.auth_approle(vault_role_id, vault_secret_id) if not client.is_authenticated(): print('Failed to authenticate to vault') sys.exit(1) return client