tessl/pypi-hvac
HashiCorp Vault API client for Python with comprehensive authentication, secrets management, and system administration capabilities
—
Pending
auth-methods.mddocs/
Authentication Methods
Comprehensive authentication backend support for various identity providers, cloud platforms, and authentication systems. HVAC supports 15+ authentication methods that integrate with existing identity infrastructure and security workflows.
Capabilities
Token Authentication
Direct token operations including creation, renewal, revocation, and lookup for Vault's native token system.
class Token:
def create(
self,
id: str = None,
role_name: str = None,
policies: list = None,
meta: dict = None,
no_parent: bool = None,
no_default_policy: bool = None,
renewable: bool = None,
ttl: str = None,
type: str = None,
explicit_max_ttl: str = None,
display_name: str = None,
num_uses: int = None,
period: str = None,
entity_alias: str = None,
wrap_ttl: str = None,
mount_point: str = "token"
) -> dict: ...
def create_orphan(self, **kwargs) -> dict: ...
def lookup(self, token: str = None, wrap_ttl: str = None) -> dict: ...
def lookup_self(self, wrap_ttl: str = None) -> dict: ...
def renew(self, token: str, increment: int = None, wrap_ttl: str = None) -> dict: ...
def renew_self(self, increment: int = None, wrap_ttl: str = None) -> dict: ...
def revoke(self, token: str, mount_point: str = "token") -> None: ...
def revoke_self(self, mount_point: str = "token") -> None: ...Username/Password Authentication
Traditional username and password authentication with user management capabilities.
class Userpass:
def login(
self,
username: str,
password: str,
use_token: bool = True,
mount_point: str = "userpass"
) -> dict: ...
def create_or_update_user(
self,
username: str,
password: str = None,
policies: list = None,
**kwargs
) -> None: ...
def list_users(self, mount_point: str = "userpass") -> dict: ...
def read_user(self, username: str, mount_point: str = "userpass") -> dict: ...
def delete_user(self, username: str, mount_point: str = "userpass") -> None: ...
def update_password_on_user(
self,
username: str,
password: str,
mount_point: str = "userpass"
) -> None: ...LDAP Authentication
Enterprise LDAP integration with comprehensive directory service configuration.
class Ldap:
def login(
self,
username: str,
password: str,
use_token: bool = True,
mount_point: str = "ldap"
) -> dict: ...
def configure(
self,
userdn: str = None,
groupdn: str = None,
url: str = None,
starttls: bool = None,
certificate: str = None,
binddn: str = None,
bindpass: str = None,
userattr: str = None,
groupattr: str = None,
**kwargs
) -> None: ...
def read_configuration(self, mount_point: str = "ldap") -> dict: ...
def create_or_update_user(
self,
username: str,
policies: list = None,
groups: list = None,
**kwargs
) -> None: ...
def create_or_update_group(
self,
name: str,
policies: list = None,
**kwargs
) -> None: ...AppRole Authentication
Machine-to-machine authentication using role IDs and secret IDs for automated systems.
class AppRole:
def login(
self,
role_id: str,
secret_id: str = None,
use_token: bool = True,
mount_point: str = "approle"
) -> dict: ...
def create_or_update_approle(
self,
role_name: str,
bind_secret_id: bool = None,
secret_id_bound_cidrs: list = None,
secret_id_num_uses: int = None,
secret_id_ttl: str = None,
token_ttl: str = None,
token_max_ttl: str = None,
token_policies: list = None,
**kwargs
) -> None: ...
def read_role_id(self, role_name: str, mount_point: str = "approle") -> dict: ...
def generate_secret_id(
self,
role_name: str,
metadata: dict = None,
cidr_list: list = None,
wrap_ttl: str = None,
mount_point: str = "approle"
) -> dict: ...
def destroy_secret_id(
self,
role_name: str,
secret_id: str,
mount_point: str = "approle"
) -> None: ...AWS Authentication
Cloud-native authentication for AWS EC2 instances and IAM principals.
class Aws:
def iam_login(
self,
access_key: str,
secret_key: str,
session_token: str = None,
role: str = None,
use_token: bool = True,
mount_point: str = "aws"
) -> dict: ...
def ec2_login(
self,
pkcs7: str,
role: str = None,
use_token: bool = True,
mount_point: str = "aws"
) -> dict: ...
def configure(
self,
access_key: str = None,
secret_key: str = None,
endpoint: str = None,
region: str = None,
**kwargs
) -> None: ...
def create_role(
self,
role: str,
role_type: str,
bound_ami_id: list = None,
bound_account_id: list = None,
bound_region: list = None,
bound_vpc_id: list = None,
bound_subnet_id: list = None,
bound_instance_id: list = None,
bound_iam_role_arn: list = None,
bound_iam_instance_profile_arn: list = None,
**kwargs
) -> None: ...Azure Authentication
Microsoft Azure Managed Service Identity (MSI) authentication for Azure resources.
class Azure:
def login(
self,
role: str,
jwt: str,
use_token: bool = True,
mount_point: str = "azure"
) -> dict: ...
def configure(
self,
tenant_id: str,
resource: str,
client_id: str = None,
client_secret: str = None,
**kwargs
) -> None: ...
def create_role(
self,
name: str,
bound_service_principal_ids: list = None,
bound_resource_groups: list = None,
bound_locations: list = None,
bound_subscription_ids: list = None,
**kwargs
) -> None: ...Google Cloud Authentication
GCP service account JWT authentication for Google Cloud Platform resources.
class Gcp:
def login(
self,
role: str,
jwt: str,
use_token: bool = True,
mount_point: str = "gcp"
) -> dict: ...
def configure(
self,
credentials: str = None,
google_certs_endpoint: str = None,
**kwargs
) -> None: ...
def create_role(
self,
name: str,
role_type: str, # "iam" or "gce"
project_id: str,
bound_service_accounts: list = None, # for iam type
bound_zones: list = None, # for gce type
bound_regions: list = None, # for gce type
bound_instance_groups: list = None, # for gce type
**kwargs
) -> None: ...Kubernetes Authentication
Kubernetes service account token authentication for containerized workloads.
class Kubernetes:
def login(
self,
role: str,
jwt: str,
use_token: bool = True,
mount_point: str = "kubernetes"
) -> dict: ...
def configure(
self,
kubernetes_host: str,
kubernetes_ca_cert: str = None,
token_reviewer_jwt: str = None,
pem_keys: list = None,
**kwargs
) -> None: ...
def create_role(
self,
name: str,
bound_service_account_names: list,
bound_service_account_namespaces: list,
audience: str = None,
**kwargs
) -> None: ...GitHub Authentication
GitHub organization and team-based authentication using personal access tokens.
class Github:
def login(
self,
token: str,
use_token: bool = True,
mount_point: str = "github"
) -> dict: ...
def configure(
self,
organization: str,
base_url: str = None,
ttl: str = None,
max_ttl: str = None,
**kwargs
) -> None: ...
def map_team(
self,
team_name: str,
policies: list = None,
mount_point: str = "github"
) -> None: ...
def map_user(
self,
user_name: str,
policies: list = None,
mount_point: str = "github"
) -> None: ...JWT/OIDC Authentication
JSON Web Token and OpenID Connect authentication for modern identity providers.
class JWT:
def jwt_login(
self,
role: str,
jwt: str,
use_token: bool = True,
mount_point: str = "jwt"
) -> dict: ...
def configure(
self,
oidc_discovery_url: str = None,
jwt_validation_pubkeys: list = None,
bound_issuer: str = None,
**kwargs
) -> None: ...
class OIDC:
def oidc_authorization_url_request(
self,
role: str,
redirect_uri: str,
mount_point: str = "oidc"
) -> dict: ...
def oidc_callback(
self,
code: str,
state: str,
mount_point: str = "oidc"
) -> dict: ...Certificate Authentication
TLS client certificate authentication using trusted certificate authorities.
class Cert:
def login(self, use_token: bool = True, mount_point: str = "cert") -> dict: ...
def create_ca_certificate_role(
self,
name: str,
certificate: str,
allowed_common_names: list = None,
allowed_dns_sans: list = None,
allowed_email_sans: list = None,
allowed_uri_sans: list = None,
**kwargs
) -> None: ...
def configure_tls_certificate(
self,
certificate: str = None,
certificate_file: str = None,
**kwargs
) -> None: ...Enterprise Identity Providers
Additional authentication methods for enterprise identity systems.
class Okta:
def login(
self,
username: str,
password: str,
use_token: bool = True,
mount_point: str = "okta"
) -> dict: ...
def configure(
self,
org_name: str,
api_token: str = None,
base_url: str = None,
bypass_okta_mfa: bool = None,
**kwargs
) -> None: ...
class Radius:
def login(
self,
username: str,
password: str,
use_token: bool = True,
mount_point: str = "radius"
) -> dict: ...
def configure(
self,
host: str,
secret: str,
port: int = None,
dial_timeout: int = None,
**kwargs
) -> None: ...Usage Examples
AppRole Authentication (Recommended for Applications)
import hvac
client = hvac.Client(url='https://vault.example.com:8200')
# Configure AppRole
client.auth.approle.create_or_update_approle(
role_name='myapp',
token_policies=['myapp-policy'],
token_ttl='1h',
token_max_ttl='4h'
)
# Get role ID (usually done during deployment)
role_id_response = client.auth.approle.read_role_id('myapp')
role_id = role_id_response['data']['role_id']
# Generate secret ID (usually done during application startup)
secret_response = client.auth.approle.generate_secret_id('myapp')
secret_id = secret_response['data']['secret_id']
# Authenticate application
auth_response = client.auth.approle.login(
role_id=role_id,
secret_id=secret_id
)
print(f"Authenticated successfully, token TTL: {auth_response['auth']['lease_duration']}")Kubernetes Authentication
import hvac
client = hvac.Client(url='https://vault.example.com:8200')
# Configure Kubernetes auth (admin operation)
client.auth.kubernetes.configure(
kubernetes_host='https://kubernetes.default.svc.cluster.local',
kubernetes_ca_cert=open('/var/run/secrets/kubernetes.io/serviceaccount/ca.crt').read()
)
# Create role for service account
client.auth.kubernetes.create_role(
name='myapp-role',
bound_service_account_names=['myapp-sa'],
bound_service_account_namespaces=['production'],
token_policies=['myapp-policy'],
token_ttl='1h'
)
# Authenticate from pod
jwt_token = open('/var/run/secrets/kubernetes.io/serviceaccount/token').read()
auth_response = client.auth.kubernetes.login(
role='myapp-role',
jwt=jwt_token
)LDAP Authentication
import hvac
client = hvac.Client(url='https://vault.example.com:8200')
# Configure LDAP (admin operation)
client.auth.ldap.configure(
url='ldaps://ldap.company.com',
userdn='ou=users,dc=company,dc=com',
groupdn='ou=groups,dc=company,dc=com',
userattr='uid',
groupattr='memberUid'
)
# Map LDAP groups to policies
client.auth.ldap.create_or_update_group(
name='developers',
policies=['developer-policy']
)
# User authentication
auth_response = client.auth.ldap.login(
username='john.doe',
password='user_password'
)AWS IAM Authentication
import hvac
import boto3
client = hvac.Client(url='https://vault.example.com:8200')
# Configure AWS auth (admin operation)
client.auth.aws.configure(
access_key='aws_access_key',
secret_key='aws_secret_key',
region='us-east-1'
)
# Create role for EC2 instances
client.auth.aws.create_role(
role='ec2-role',
role_type='ec2',
bound_ami_id=['ami-12345678'],
bound_account_id=['123456789012'],
token_policies=['ec2-policy']
)
# Authenticate from EC2 instance
import requests
pkcs7_response = requests.get(
'http://169.254.169.254/latest/dynamic/instance-identity/pkcs7',
timeout=2
)
auth_response = client.auth.aws.ec2_login(
pkcs7=pkcs7_response.text,
role='ec2-role'
)Install with Tessl CLI
npx tessl i tessl/pypi-hvac