6bf74aa20d
This commit adds two new cli commands to allow an operator to read and write passwords into a configured Hashicorp Vault KV. Change-Id: Icf0eaf7544fcbdf7b83f697cc711446f47118a4d
65 lines
2.4 KiB
Python
65 lines
2.4 KiB
Python
#!/usr/bin/env python3
|
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
import os
|
|
import sys
|
|
|
|
import hvac
|
|
|
|
|
|
def hashicorp_vault_client(vault_namespace, vault_addr, vault_role_id,
|
|
vault_secret_id, vault_token, vault_cacert):
|
|
"""Connect to a Vault sever and create a client.
|
|
|
|
:param vault_namespace: Vault namespace (enterprise only).
|
|
:param vault_addr: Address to connect to an existing Hashicorp Vault.
|
|
:param vault_role_id: Role-ID to authenticate to Vault. This must be used
|
|
in conjunction with --secret-id.
|
|
:param vault_secret_id: Secret-ID to authenticate to Vault. This must be
|
|
used in conjunction with --role-id.
|
|
:param vault_token: Vault token to authenticate to Vault.
|
|
:param vault_cacert: Path to CA certificate file.
|
|
:returns: Hashicorp Vault Client (hvac.Client).
|
|
"""
|
|
|
|
if any([vault_role_id, vault_secret_id]):
|
|
if vault_token:
|
|
print("ERROR: Vault token cannot be used at the same time as "
|
|
"role-id and secret-id")
|
|
sys.exit(1)
|
|
if not all([vault_role_id, vault_secret_id]):
|
|
print("ERROR: role-id and secret-id must be provided together")
|
|
sys.exit(1)
|
|
elif not vault_token:
|
|
print("ERROR: You must provide either a Vault token or role-id and "
|
|
"secret-id")
|
|
sys.exit(1)
|
|
|
|
# Authenticate to Hashicorp Vault
|
|
if vault_cacert != "":
|
|
os.environ['REQUESTS_CA_BUNDLE'] = vault_cacert
|
|
|
|
if vault_token != "": # nosec
|
|
client = hvac.Client(url=vault_addr, token=vault_token,
|
|
namespace=vault_namespace)
|
|
else:
|
|
client = hvac.Client(url=vault_addr, namespace=vault_namespace)
|
|
client.auth_approle(vault_role_id, vault_secret_id)
|
|
|
|
if not client.is_authenticated():
|
|
print('Failed to authenticate to vault')
|
|
sys.exit(1)
|
|
|
|
return client
|