ConnectorTypeVAULT
class connector_types.connector_type_vault.ConnectorTypeVAULT
Interact with HashiCorp Vault
Currently, only the Key-Value engine is supported.
For the KV engine, version 2 secrets the secret_path needs to be prefixed with data/
Inputs
| Name | Type | Default | Description |
|---|---|---|---|
| allow_redirects | bool | False | If set to False do not follow redirects. False by default. |
| cacert | str | None | To attach self-signed certificates (ca = certificate authority, cert = certificate). To access https:// urls, you need to sign your request. Certificates trusted by default by debian jessie will work. |
| connect_timeout | float | None | A timeout for connecting to a peer. Can be disabled by setting to 0 or None |
| data | dict | None | Used with mode upsert and update_metadata |
| engine_path | str | kv | Vault's engine path. |
| host | str | ||
| max_redirects | int | 10 | Maximum number of redirects to follow. 10 by default. |
| mode | str | None | Available modes: read, upsert, delete_last_version, delete_versions, undelete_versions, destroy_versions, list, read_metadata, update_metadata, delete_metadata. When data is given mode will default to upsert, otherwise to read. |
| path | str | None | DEPRECATED: Path for the secret. Please use secret_path |
| read_timeout | float | None | A timeout for reading a portion of data from a peer. Can be disabled by setting to 0 or None |
| secret_path | str | None | Path for the secret. |
| token | str | ||
| total_timeout | float | None | Total timeout for the whole request. Can be disabled by setting to 0 or None |
| version | int | None | Optional argument for mode read |
| versions | list | None | Optional argument for modes delete_versions, undelete_versions, destroy_versions. If None, all versions are deleted. |
Outputs
| Name | Type | Default | Description |
|---|---|---|---|
| execution_id | int | The ID of the connection execution | |
| message | str | The ended message for the connection. If the connection ended with an error, the message will contain information about what went wrong | |
| result | dict | The response of the vault API. | |
| status | str | The ended status for the connection. Either "success" or "error". | |
| status_code | int |
Constants
input_list = ['allow_redirects', 'cacert', 'connect_timeout', 'data', 'engine_path', 'host', 'max_redirects', 'mode', 'path', 'read_timeout', 'secret_path', 'token', 'total_timeout', 'version', 'versions'] output_list = ['result', 'status_code'] ssl_context_inputs = ['check_hostname', 'client_cert', 'client_key', 'server_ca'] version = 1Methods
execute ()
log (message)
one_of_inputs (options)
run ()
Example
import flow_api
def handler(system: flow_api.System, this: flow_api.Execution):
# create a secret
this.connect(
connector_type='VAULT',
host='https://my-vault-host:8200',
engine_path='kv',
secret_path='data/my-secret',
data={
'secret-key': 'secret-value',
},
token='my-vault-token',
)
# read a secret
secret_value = this.connect(
connector_type='VAULT',
host='https://my-vault-host:8200',
engine_path='kv',
secret_path='data/my-secret',
version=None, # read latest version
token='my-vault-token',
).get('output_value')['result']['data']['data']
assert secret_value == {'secret-key': 'secret-value'}
# destroy all versions of secret
this.connect(
connector_type='VAULT',
host='https://my-vault-host:8200',
engine_path='kv',
secret_path='my-secret',
mode='delete_metadata',
token='my-vault-token',
)
return this.success('all done')