HashiCorp Vault + Python
Intro
The simplest use case of HashiCorp Vault is to use it as a secrets manager to store your secrets in a secure and encrypted fashion. Vault is available as an Open Source self-managed solution or as a SaaS solution hosted on HashiCorp Cloud Platform.
The Vault HTTP API gives you full access to Vault via HTTP. Every aspect of Vault can be controlled via this API. If you are a fan of Python programming language like i am, there is also a well written and documented Python SDK that we can use to interact with Vault.
In this post we will look at how to get a self-managed instance of Vault up and interacting with the instance using Python.
Installation
We will use docker to spin up an instance of Vault to interact with. For this purpose we will create a docker-compose file as below:
version: "3.9"
services:
hashicorp-vault:
build: .
ports:
- "8200:8200"
image: vault:latest"
We will spin up the instance by executing docker-compose up. This may take a few minutes to complete. When done, you should see the URL and the root token towards the tail end of the logs as shown below:
Note: As stated in the logs, it is not recommended to use the docker instance for production as it is not persistent. Meaning any secrets stored will be lost when you stop the docker. (You have been warned!!)
At this stage you should be able to browse to the Vault UI and login using the Root Token displayed at the tail end of the installation logs.
Interacting with Vault using Python
To interact with Vault using python we need to install the python SDK. Refer to the instructions here.
To authenticate to our instance of Vault we will use the Root Token from the installation logs. To do so (since we are talking about password managers) we will add them as environment variables.
领英推荐
export VAULT_URL="https://0.0.0.0:8200"
export VAULT_TOKEN="hvs.t6WQpRPXoBHxYTpL7e1hbF4B"
Next we define a python class as below:
import hvac
import os
class Hvac
def __init__(self):
self.url = self._get_url()
self.token = self._get_token()
self.client = hvac.Client(url=self.url, token=self.token)
@staticmethod
def _get_url():
return os.getenv(key="VAULT_URL")
@staticmethod
def _get_token():
return os.getenv(key="VAULT_TOKEN")
# Method to create a new KV pair
def create_kv_engine(self, engine_name):
self.client.sys.enable_secrets_engine(
backend_type="kv",
path=engine_name,
options={"version": "2"}
)
# Method to create a password
def create_password(self, engine_name, username, password):
self.client.secrets.kv.v2.create_or_update_secret(
mount_point=engine_name,
path=username,
secret={"username": username, "password": password}
)
# Method to read an existing password
def read_password(self, engine_name, username):
return self.client.secrets.kv.v2.read_secret_version(
mount_point=engine_name,
path=username
):
Next we will initialise an object of the class. This should setup a connection to our instance of Vault.
To create a new kv (key,value) engine, we make a call to the create_kv_engine method defined in our class and pass to it our engine name . Similarly, to create a password entry in the engine we just created, we make a call to the create_password method defined in our class and pass to it our engine name, the username and password pair to be stored. This is showed in the screenshot below:
The result of the last two calls is a new engine and a new key, value pair of username, password being created.
To access the password of an existing secret, we make a call to the read_password method defined in our class and pass to it the engine name and the username for which we are trying to extract the password.
Outro
The above is an example of using Vault as a secrets engine and interacting with it programatically. Vault is much more than just a secrets engine used to store username and passwords in key value format and it definitely worth looking into its other capabilities.