Skip to main content
Version: 7 - Gugelhupf

ConnectorTypeVAULT

class connector_types.connector_type_vault.ConnectorTypeVAULT

Interact with HashiCorp Vault

Currently, only the Key-Value engine is supported.

For the KV engine, version 2 secrets the secret_path needs to be prefixed with data/

Inputs

NameTypeDefaultDescription
allow_redirectsboolFalseIf set to False do not follow redirects. False by default.
cacertstrNoneTo attach self-signed certificates (ca = certificate authority, cert = certificate). To access https:// urls, you need to sign your request. Certificates trusted by default by debian jessie will work.
connect_timeoutfloatNoneA timeout for connecting to a peer. Can be disabled by setting to 0 or None
datadictNoneUsed with mode upsert and update_metadata
engine_pathstrkvVault's engine path.
hoststr
max_redirectsint10Maximum number of redirects to follow. 10 by default.
modestrNoneAvailable modes: read, upsert, delete_last_version, delete_versions, undelete_versions, destroy_versions, list, read_metadata, update_metadata, delete_metadata. When data is given mode will default to upsert, otherwise to read.
pathstrNoneDEPRECATED: Path for the secret. Please use secret_path
read_timeoutfloatNoneA timeout for reading a portion of data from a peer. Can be disabled by setting to 0 or None
secret_pathstrNonePath for the secret.
tokenstr
total_timeoutfloatNoneTotal timeout for the whole request. Can be disabled by setting to 0 or None
versionintNoneOptional argument for mode read
versionslistNoneOptional argument for modes delete_versions, undelete_versions, destroy_versions. If None, all versions are deleted.

Outputs

NameTypeDefaultDescription
resultdictThe response of the vault API.
status_codeint

Constants

input_list = ['allow_redirects', 'cacert', 'connect_timeout', 'data', 'engine_path', 'host', 'max_redirects', 'mode', 'path', 'read_timeout', 'secret_path', 'token', 'total_timeout', 'version', 'versions'] output_list = ['result', 'status_code'] ssl_context_inputs = ['check_hostname', 'client_cert', 'client_key', 'server_ca'] version = 1

Methods

execute

log

one_of_inputs

run

Example

import flow_api

def handler(system: flow_api.System, this: flow_api.Execution):
# create a secret
this.connect(
connector_type='VAULT',
host='https://my-vault-host:8200',
engine_path='kv',
secret_path='data/my-secret',
data={
'secret-key': 'secret-value',
},
token='my-vault-token',
)

# read a secret
secret_value = this.connect(
connector_type='VAULT',
host='https://my-vault-host:8200',
engine_path='kv',
secret_path='data/my-secret',
version=None, # read latest version
token='my-vault-token',
).get('output_value')['result']['data']['data']
assert secret_value == {'secret-key': 'secret-value'}

# destroy all versions of secret
this.connect(
connector_type='VAULT',
host='https://my-vault-host:8200',
engine_path='kv',
secret_path='my-secret',
mode='delete_metadata',
token='my-vault-token',
)

return this.success('all done')