tessl/pypi-hvac
HashiCorp Vault API client for Python with comprehensive authentication, secrets management, and system administration capabilities
—
Pending
secrets-engines.mddocs/
Secrets Engines
Comprehensive secret management capabilities including static and dynamic secret storage, encryption services, and credential generation for databases, cloud services, and infrastructure components. HVAC supports 17+ secrets engines covering the full spectrum of modern secret management needs.
Capabilities
Key-Value Storage
Static secret storage with versioning, metadata, and access controls for application secrets and configuration data.
class KvV2:
def create_or_update_secret(
self,
path: str,
secret: dict,
cas: int = None,
mount_point: str = "secret"
) -> dict: ...
def read_secret_version(
self,
path: str,
version: int = None,
mount_point: str = "secret",
raise_on_deleted_version: bool = True
) -> dict: ...
def patch(
self,
path: str,
secret: dict,
mount_point: str = "secret"
) -> dict: ...
def delete_latest_version_of_secret(
self,
path: str,
mount_point: str = "secret"
) -> None: ...
def delete_secret_versions(
self,
path: str,
versions: list,
mount_point: str = "secret"
) -> None: ...
def undelete_secret_versions(
self,
path: str,
versions: list,
mount_point: str = "secret"
) -> None: ...
def destroy_secret_versions(
self,
path: str,
versions: list,
mount_point: str = "secret"
) -> None: ...
def list_secrets(
self,
path: str,
mount_point: str = "secret"
) -> dict: ...
def read_secret_metadata(
self,
path: str,
mount_point: str = "secret"
) -> dict: ...
def update_metadata(
self,
path: str,
max_versions: int = None,
cas_required: bool = None,
delete_version_after: str = None,
custom_metadata: dict = None,
mount_point: str = "secret"
) -> None: ...
class KvV1:
def create_or_update_secret(
self,
path: str,
secret: dict,
method: str = None,
mount_point: str = "secret"
) -> dict: ...
def read_secret(
self,
path: str,
mount_point: str = "secret"
) -> dict: ...
def list_secrets(
self,
path: str,
mount_point: str = "secret"
) -> dict: ...
def delete_secret(
self,
path: str,
mount_point: str = "secret"
) -> None: ...Database Credential Management
Dynamic database credential generation with automatic rotation and multiple database support.
class Database:
def configure(
self,
name: str,
plugin_name: str,
connection_url: str = None,
verify_connection: bool = True,
allowed_roles: list = None,
root_rotation_statements: list = None,
password_policy: str = None,
mount_point: str = "database",
**kwargs
) -> None: ...
def create_or_update_role(
self,
name: str,
db_name: str,
creation_statements: list,
default_ttl: str = None,
max_ttl: str = None,
revocation_statements: list = None,
renew_statements: list = None,
rollback_statements: list = None,
mount_point: str = "database"
) -> None: ...
def create_static_role(
self,
name: str,
db_name: str,
username: str,
rotation_statements: list = None,
rotation_period: str = "24h",
mount_point: str = "database"
) -> None: ...
def generate_credentials(
self,
name: str,
mount_point: str = "database"
) -> dict: ...
def get_static_credentials(
self,
name: str,
mount_point: str = "database"
) -> dict: ...
def rotate_static_role_credentials(
self,
name: str,
mount_point: str = "database"
) -> None: ...PKI Certificate Authority
Complete certificate authority operations including root CA generation, intermediate signing, and certificate issuance.
class Pki:
def generate_root(
self,
type: str, # "internal" or "exported"
common_name: str,
alt_names: list = None,
ip_sans: list = None,
uri_sans: list = None,
other_sans: list = None,
ttl: str = None,
key_type: str = "rsa",
key_bits: int = 2048,
exclude_cn_from_sans: bool = False,
mount_point: str = "pki"
) -> dict: ...
def generate_intermediate(
self,
type: str,
common_name: str,
mount_point: str = "pki",
**kwargs
) -> dict: ...
def sign_intermediate(
self,
csr: str,
common_name: str,
ttl: str = None,
mount_point: str = "pki",
**kwargs
) -> dict: ...
def generate_certificate(
self,
name: str,
common_name: str,
alt_names: list = None,
ip_sans: list = None,
uri_sans: list = None,
other_sans: list = None,
ttl: str = None,
mount_point: str = "pki"
) -> dict: ...
def sign_certificate(
self,
name: str,
csr: str,
common_name: str,
mount_point: str = "pki",
**kwargs
) -> dict: ...
def revoke_certificate(
self,
serial_number: str,
mount_point: str = "pki"
) -> dict: ...
def create_or_update_role(
self,
name: str,
ttl: str = None,
max_ttl: str = None,
allow_localhost: bool = True,
allowed_domains: list = None,
allow_subdomains: bool = False,
allow_glob_domains: bool = False,
allow_any_name: bool = False,
enforce_hostnames: bool = True,
allow_ip_sans: bool = True,
mount_point: str = "pki",
**kwargs
) -> None: ...Encryption as a Service
High-performance encryption, decryption, and key management without exposing key material.
class Transit:
def create_key(
self,
name: str,
key_type: str = "aes256-gcm96",
convergent_encryption: bool = None,
derived: bool = None,
exportable: bool = None,
allow_plaintext_backup: bool = None,
mount_point: str = "transit"
) -> None: ...
def encrypt_data(
self,
name: str,
plaintext: str, # base64 encoded
context: str = None, # base64 encoded
key_version: int = None,
nonce: str = None,
batch_input: list = None,
mount_point: str = "transit"
) -> dict: ...
def decrypt_data(
self,
name: str,
ciphertext: str,
context: str = None,
nonce: str = None,
batch_input: list = None,
mount_point: str = "transit"
) -> dict: ...
def rewrap_data(
self,
name: str,
ciphertext: str,
context: str = None,
key_version: int = None,
batch_input: list = None,
mount_point: str = "transit"
) -> dict: ...
def generate_data_key(
self,
name: str,
key_type: str = "plaintext", # "plaintext" or "wrapped"
context: str = None,
nonce: str = None,
bits: int = 256,
mount_point: str = "transit"
) -> dict: ...
def sign_data(
self,
name: str,
hash_input: str, # base64 encoded
hash_algorithm: str = "sha2-256",
signature_algorithm: str = None,
mount_point: str = "transit"
) -> dict: ...
def verify_signed_data(
self,
name: str,
hash_input: str,
signature: str,
hash_algorithm: str = "sha2-256",
signature_algorithm: str = None,
mount_point: str = "transit"
) -> dict: ...
def rotate_key(
self,
name: str,
mount_point: str = "transit"
) -> None: ...Cloud Provider Credentials
Dynamic credential generation for major cloud platforms with fine-grained permissions.
class Aws:
def configure_root_iam_credentials(
self,
access_key: str,
secret_key: str,
region: str = "us-east-1",
iam_endpoint: str = None,
sts_endpoint: str = None,
mount_point: str = "aws"
) -> None: ...
def create_or_update_role(
self,
name: str,
credential_type: str, # "iam_user", "assumed_role", "federation_token"
policy_document: str = None,
policy_arns: list = None,
role_arns: list = None,
default_sts_ttl: str = None,
max_sts_ttl: str = None,
mount_point: str = "aws"
) -> None: ...
def generate_credentials(
self,
name: str,
role_arn: str = None,
role_session_name: str = None,
ttl: str = None,
mount_point: str = "aws"
) -> dict: ...
class Azure:
def configure(
self,
subscription_id: str,
tenant_id: str,
client_id: str = None,
client_secret: str = None,
environment: str = "AzurePublicCloud",
mount_point: str = "azure"
) -> None: ...
def create_or_update_role(
self,
name: str,
azure_roles: list,
ttl: str = None,
max_ttl: str = None,
mount_point: str = "azure"
) -> None: ...
def generate_credentials(
self,
name: str,
mount_point: str = "azure"
) -> dict: ...
class Gcp:
def create_or_update_roleset(
self,
name: str,
project: str,
bindings: str, # HCL string
token_scopes: list = None,
mount_point: str = "gcp"
) -> None: ...
def generate_oauth2_access_token(
self,
roleset: str,
mount_point: str = "gcp"
) -> dict: ...
def generate_service_account_key(
self,
roleset: str,
key_algorithm: str = "KEY_ALG_RSA_2048",
key_type: str = "TYPE_GOOGLE_CREDENTIALS_FILE",
mount_point: str = "gcp"
) -> dict: ...Identity and Directory Services
Automated credential rotation for Active Directory and LDAP service accounts.
class ActiveDirectory:
def configure(
self,
binddn: str,
bindpass: str,
url: str,
userdn: str = None,
upndomain: str = None,
mount_point: str = "ad"
) -> None: ...
def create_or_update_role(
self,
name: str,
service_account_name: str,
ttl: str = None,
mount_point: str = "ad"
) -> None: ...
def generate_credentials(
self,
name: str,
mount_point: str = "ad"
) -> dict: ...
class Ldap:
def configure(
self,
binddn: str,
bindpass: str,
url: str,
schema: str = "openldap", # "openldap", "ad", "racf"
userdn: str = None,
mount_point: str = "ldap"
) -> None: ...
def create_or_update_static_role(
self,
name: str,
username: str,
dn: str,
rotation_period: str = "24h",
mount_point: str = "ldap"
) -> None: ...
def generate_static_credentials(
self,
name: str,
mount_point: str = "ldap"
) -> dict: ...Infrastructure Access
SSH access management and service discovery credentials for infrastructure automation.
class Ssh:
def create_role(
self,
name: str,
key_type: str, # "otp", "dynamic", "ca"
default_user: str = None,
cidr_list: str = None,
allowed_users: str = None,
ttl: str = None,
max_ttl: str = None,
mount_point: str = "ssh"
) -> None: ...
def generate_ssh_credentials(
self,
name: str,
username: str = None,
ip: str = None,
mount_point: str = "ssh"
) -> dict: ...
def sign_ssh_key(
self,
name: str,
public_key: str,
ttl: str = None,
valid_principals: str = None,
cert_type: str = "user", # "user" or "host"
key_id: str = None,
mount_point: str = "ssh"
) -> dict: ...
class Consul:
def configure_access(
self,
address: str,
token: str,
scheme: str = "http",
mount_point: str = "consul"
) -> None: ...
def create_or_update_role(
self,
name: str,
policies: list = None,
policy: str = None, # base64 encoded
token_type: str = "client", # "client" or "management"
ttl: str = None,
max_ttl: str = None,
mount_point: str = "consul"
) -> None: ...
def generate_credentials(
self,
name: str,
mount_point: str = "consul"
) -> dict: ...
class RabbitMQ:
def configure_connection(
self,
connection_uri: str,
username: str = None,
password: str = None,
verify_connection: bool = True,
mount_point: str = "rabbitmq"
) -> None: ...
def create_role(
self,
name: str,
tags: str = None,
vhosts: str = None,
vhost_topics: str = None,
mount_point: str = "rabbitmq"
) -> None: ...
def generate_credentials(
self,
name: str,
mount_point: str = "rabbitmq"
) -> dict: ...Data Protection and Transformation
Format-preserving encryption, tokenization, and data masking for compliance and privacy.
class Transform:
def create_or_update_transformation(
self,
name: str,
type: str, # "fpe", "masking", "tokenization"
template: str = None,
tweak_source: str = "supplied",
allowed_roles: list = None,
mount_point: str = "transform"
) -> None: ...
def create_or_update_role(
self,
name: str,
transformations: list,
mount_point: str = "transform"
) -> None: ...
def encode(
self,
role_name: str,
value: str = None,
transformation: str = None,
tweak: str = None,
batch_input: list = None,
mount_point: str = "transform"
) -> dict: ...
def decode(
self,
role_name: str,
value: str = None,
transformation: str = None,
tweak: str = None,
batch_input: list = None,
mount_point: str = "transform"
) -> dict: ...
class Identity:
def create_or_update_entity(
self,
name: str = None,
entity_id: str = None,
metadata: dict = None,
policies: list = None,
disabled: bool = None,
mount_point: str = "identity"
) -> dict: ...
def create_or_update_group(
self,
name: str,
group_id: str = None,
group_type: str = "internal", # "internal" or "external"
metadata: dict = None,
policies: list = None,
member_entity_ids: list = None,
mount_point: str = "identity"
) -> dict: ...
def generate_signed_id_token(
self,
name: str,
audience: str = None,
template: str = None,
mount_point: str = "identity"
) -> dict: ...Usage Examples
Key-Value Secret Management
import hvac
client = hvac.Client(url='https://vault.example.com:8200')
client.token = 'your-token'
# Store application secrets
response = client.secrets.kv_v2.create_or_update_secret(
path='myapp/config',
secret={
'database_url': 'postgres://user:pass@host:5432/db',
'api_key': 'secret123',
'debug': True
}
)
# Read secret
secret = client.secrets.kv_v2.read_secret_version(path='myapp/config')
config = secret['data']['data']
print(f"Database URL: {config['database_url']}")
# Update specific keys without overwriting
client.secrets.kv_v2.patch(
path='myapp/config',
secret={'api_key': 'newsecret456'}
)
# Read specific version
old_version = client.secrets.kv_v2.read_secret_version(
path='myapp/config',
version=1
)Dynamic Database Credentials
# Configure database connection
client.secrets.database.configure(
name='postgres-db',
plugin_name='postgresql-database-plugin',
connection_url='postgresql://{{username}}:{{password}}@postgres:5432/mydb',
allowed_roles=['readonly', 'readwrite'],
username='vault',
password='vault-password'
)
# Create role for read-only access
client.secrets.database.create_or_update_role(
name='readonly',
db_name='postgres-db',
creation_statements=[
'CREATE ROLE "{{name}}" WITH LOGIN PASSWORD \'{{password}}\' VALID UNTIL \'{{expiration}}\';',
'GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";'
],
default_ttl='1h',
max_ttl='24h'
)
# Generate dynamic credentials
creds = client.secrets.database.generate_credentials(name='readonly')
username = creds['data']['username']
password = creds['data']['password']
lease_duration = creds['lease_duration']
print(f"Database user: {username}, expires in {lease_duration}s")PKI Certificate Operations
# Generate root CA
root_ca = client.secrets.pki.generate_root(
type='internal',
common_name='My Company Root CA',
ttl='8760h' # 1 year
)
# Create certificate role
client.secrets.pki.create_or_update_role(
name='web-server',
allowed_domains=['example.com'],
allow_subdomains=True,
max_ttl='720h' # 30 days
)
# Generate certificate
cert = client.secrets.pki.generate_certificate(
name='web-server',
common_name='api.example.com',
alt_names=['www.example.com'],
ttl='168h' # 7 days
)
certificate = cert['data']['certificate']
private_key = cert['data']['private_key']
ca_chain = cert['data']['ca_chain']Transit Encryption Service
# Create encryption key
client.secrets.transit.create_key(
name='app-key',
key_type='aes256-gcm96'
)
# Encrypt sensitive data
import base64
plaintext = base64.b64encode(b'sensitive data').decode('utf-8')
encrypted = client.secrets.transit.encrypt_data(
name='app-key',
plaintext=plaintext
)
ciphertext = encrypted['data']['ciphertext']
# Decrypt data
decrypted = client.secrets.transit.decrypt_data(
name='app-key',
ciphertext=ciphertext
)
original_data = base64.b64decode(decrypted['data']['plaintext']).decode('utf-8')
print(f"Decrypted: {original_data}")
# Generate data encryption key
data_key = client.secrets.transit.generate_data_key(
name='app-key',
key_type='plaintext'
)
plaintext_key = data_key['data']['plaintext']
ciphertext_key = data_key['data']['ciphertext']AWS Dynamic Credentials
# Configure AWS secrets engine
client.secrets.aws.configure_root_iam_credentials(
access_key='AWS_ACCESS_KEY',
secret_key='AWS_SECRET_KEY',
region='us-east-1'
)
# Create role for S3 access
client.secrets.aws.create_or_update_role(
name='s3-readonly',
credential_type='iam_user',
policy_document='''{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}'''
)
# Generate AWS credentials
aws_creds = client.secrets.aws.generate_credentials(name='s3-readonly')
access_key = aws_creds['data']['access_key']
secret_key = aws_creds['data']['secret_key']
lease_duration = aws_creds['lease_duration']Install with Tessl CLI
npx tessl i tessl/pypi-hvac