I’ll leave here some code snippets to show how to do authentication in Python in Vault using the methods described in https://devops-db.com/vault-authentication-methods/.
https://github.com/faustobranco/devops-db/tree/master/knowledge-base/python/vault-authentication
Token.
# pip install hvac
#
#
# vault token create -policy=jenkins -period=24h
# Key Value
# --- -----
# token hvs.CAESII56ND45A-xlSjhiNs4Z3UPGrSbCK3EYw4WtfGiaTCXHGh4KHGh2cy5RUjR3NW9iMktDOG1xM3p0ZGlmRDFvb1A
# token_accessor OKAnjofeQOuc5dtLBs4rlBCA
# token_duration 24h
# token_renewable true
# token_policies ["default" "jenkins"]
# identity_policies []
# policies ["default" "jenkins"]
#
# vault token create -policy=jenkins -period=24h
import hvac
#######################################################################################################################
### This code snippet only serves to remove an "Unverified HTTPS" warning because the certificate we use is self signed.
import urllib3
urllib3.disable_warnings()
#######################################################################################################################
VAULT_URL = 'https://vault.devops-db.internal:8200/'
VAULT_TOKEN = 'hvs.CAESIIlShF_vvCkuVl15XvUFP6JCVrZvPaIGJT_ZpWxp77LKGh4KHGh2cy5RUUhZdHRnbTVxMUJhUUh4TFREcW5UYks'
client = hvac.Client(url=VAULT_URL, verify=False)
client.token = VAULT_TOKEN
print(client.is_authenticated())
mount_point = 'secret'
secret_path = 'infrastructure/jenkins/test-secret01'
return_read_kv_2 = client.secrets.kv.v2.read_secret(path=secret_path, mount_point=mount_point)
print(return_read_kv_2['data']['data']['username'])
print(return_read_kv_2['data']['data']['pwd'])LDAP.
# pip install hvac
#
from getpass import getpass
import hvac
#######################################################################################################################
### This code snippet only serves to remove an "Unverified HTTPS" warning because the certificate we use is self signed.
import urllib3
urllib3.disable_warnings()
#######################################################################################################################
VAULT_URL = 'https://vault.devops-db.internal:8200/'
client = hvac.Client(url=VAULT_URL, verify=False)
service_account_username = 'fbranco'
password_prompt = 'Please enter your password for the LDAP authentication backend: '
service_account_password = getpass(prompt=password_prompt)
client.auth.ldap.login(username=service_account_username,
password=service_account_password)
print(client.is_authenticated())
mount_point = 'secret'
secret_path = 'infrastructure/jenkins/test-secret01'
return_read_kv_2 = client.secrets.kv.v2.read_secret(path=secret_path, mount_point=mount_point)
print(return_read_kv_2['data']['data']['username'])
print(return_read_kv_2['data']['data']['pwd'])TLS.
For this method, you need to have the certificates that will be used in some path.
# pip install hvac
#
import hvac
#######################################################################################################################
### This code snippet only serves to remove an "Unverified HTTPS" warning because the certificate we use is self signed.
import urllib3
urllib3.disable_warnings()
#######################################################################################################################
VAULT_URL = 'https://vault.devops-db.internal:8200/'
client = hvac.Client(cert=('auth_vault_cert.pem',
'auth_vault_key.pem'),
url=VAULT_URL,
verify=False)
client.login("/v1/auth/cert/login")
print(client.is_authenticated())
mount_point = 'secret'
secret_path = 'infrastructure/jenkins/test-secret01'
return_read_kv_2 = client.secrets.kv.v2.read_secret(path=secret_path, mount_point=mount_point)
print(return_read_kv_2['data']['data']['username'])
print(return_read_kv_2['data']['data']['pwd'])
AppRole.
# pip install hvac
#
#
# vault read auth/approle/role/jenkins-role/role-id
# Key Value
# --- -----
# role_id 2a89c925-62fc-44b7-fed5-d2de5e31cb69
#
#
# vault write -f auth/approle/role/jenkins-role/secret-id
# Key Value
# --- -----
# secret_id f01e3323-ff2f-849d-e7a1-49805d2300e0
# secret_id_accessor 8562d2e5-b093-7ba2-5b7f-6e7eedd2461c
# secret_id_num_uses 0
# secret_id_ttl 0s
#
#
# vault kv put secret/infrastructure/jenkins/test-secret01 username="usr-test01" pwd="1234qwer"
import hvac
#######################################################################################################################
### This code snippet only serves to remove an "Unverified HTTPS" warning because the certificate we use is self signed.
import urllib3
urllib3.disable_warnings()
#######################################################################################################################
VAULT_URL = 'https://vault.devops-db.internal:8200/'
VAULT_ROLE_ID = '2a89c925-62fc-44b7-fed5-d2de5e31cb69'
VAULT_SECRET_ID = 'f01e3323-ff2f-849d-e7a1-49805d2300e0'
client = hvac.Client(url=VAULT_URL, verify=False)
client.auth.approle.login(role_id=VAULT_ROLE_ID,
secret_id=VAULT_SECRET_ID)
print(client.is_authenticated())
mount_point = 'secret'
secret_path = 'infrastructure/jenkins/test-secret01'
return_read_kv_2 = client.secrets.kv.v2.read_secret(path=secret_path, mount_point=mount_point)
print(return_read_kv_2['data']['data']['username'])
print(return_read_kv_2['data']['data']['pwd'])User and Password.
# pip install hvac
#
import hvac
#######################################################################################################################
### This code snippet only serves to remove an "Unverified HTTPS" warning because the certificate we use is self signed.
import urllib3
urllib3.disable_warnings()
#######################################################################################################################
VAULT_URL = 'https://vault.devops-db.internal:8200/'
client = hvac.Client(url=VAULT_URL,
verify=False)
client.auth.userpass.login(
username='test_user',
password='1234qwer',
)
print(client.is_authenticated())
mount_point = 'secret'
secret_path = 'infrastructure/jenkins/test-secret01'
return_read_kv_2 = client.secrets.kv.v2.read_secret(path=secret_path, mount_point=mount_point)
print(return_read_kv_2['data']['data']['username'])
print(return_read_kv_2['data']['data']['pwd'])