{ "info": { "author": "Eugene Davis", "author_email": "eugene.davis@tomtom.com", "bugtrack_url": null, "classifiers": [ "Environment :: Console", "Intended Audience :: Developers", "License :: OSI Approved :: Apache Software License", "Natural Language :: English", "Operating System :: OS Independent", "Programming Language :: Python :: 3", "Programming Language :: Python :: 3.5", "Programming Language :: Python :: 3.6", "Programming Language :: Python :: 3.7" ], "description": "# VaultAnyconfig\n\n[![Azure DevOps builds](https://img.shields.io/azure-devops/build/tomtomweb/GitHub-TomTom-International/13/master.svg)](https://dev.azure.com/tomtomweb/GitHub-TomTom-International/_build/latest?definitionId=13&branchName=master)\n[![Azure DevOps tests](https://img.shields.io/azure-devops/tests/tomtomweb/GitHub-TomTom-International/13/master.svg)](https://dev.azure.com/tomtomweb/GitHub-TomTom-International/_build/latest?definitionId=13&branchName=master)\n[![Azure DevOps coverage](https://img.shields.io/azure-devops/coverage/tomtomweb/GitHub-TomTom-International/13/master.svg)](https://dev.azure.com/tomtomweb/GitHub-TomTom-International/_build/latest?definitionId=13&branchName=master)\n\n[![PyPI - Version](https://img.shields.io/pypi/v/vault-anyconfig.svg)](https://pypi.org/project/vault-anyconfig/)\n[![PyPI - License](https://img.shields.io/pypi/l/vault-anyconfig.svg)](https://pypi.org/project/vault-anyconfig/)\n[![PyPI - Python Versions](https://img.shields.io/pypi/pyversions/vault-anyconfig.svg)](https://pypi.org/project/vault-anyconfig/)\n[![PyPI - Format](https://img.shields.io/pypi/format/vault-anyconfig.svg)](https://pypi.org/project/vault-anyconfig/)\n[![PyPI - Status](https://img.shields.io/pypi/status/vault-anyconfig.svg)](https://pypi.org/project/vault-anyconfig/)\n[![PyUp - Updates](https://pyup.io/repos/github/tomtom-international/vault-anyconfig/shield.svg)](https://pyup.io/repos/github/tomtom-international/vault-anyconfig/)\n\nExtends the [HVAC Hashicorp Vault Client](https://github.com/hvac/hvac) with the load and dump functionality from\n[anyconfig](https://github.com/ssato/python-anyconfig). This allows automatic mixing in of secrets from Vault, allowing you to store a configuration\nfile with all details populated save for secrets, and then access Hashicorp Vault to load the secrets into the in-memory dictionary.\n\n## Supported Secret Engines\n\nCurrently vault-anyconfig **only** supports version 1 and 2 of the key value store.\n\n### kv2 Limitations\n\n* vault-anyconfig **only** will read the latest version of a secret to maintain simplicity in the configuration file\n* you must add `data` after the mountpoint for a kv2 secret, e.g. `secret/data/example-secret` due to limitations in the HVAC client\n\n## Files and Formatting\n\nThere are three configuration files (which can also be provided as strings), which can be stored in one, two or three files total as long as they are correctly written.\n\nExamples in this section will be in JSON, but any file format supported by anyconfig can be used.\n\n### Vault Configuration\n\nThis configures the connection to the Vault, and must contain at least one member (usually the url parameter). If this section is not provided or is\nleft empty, then the Vault instance will **not** be configured, and instead only the anyconfig functionality will be used.\n\nThe section must be named `vault_config`, and can contain any of the parameters valid for initializing an [HVAC client](https://github.com/hvac/hvac/blob/master/hvac/v1/__init__.py).\n\n#### Example\n\n```json\n{\n \"vault_config\": {\n \"url\": \"https://vault.acme.com:8200\"\n }\n}\n```\n\n### Vault Authentication\n\nThis provides authentication for use with the `auto_auth` method, and must be named `vault_creds`. It should contain a member named `auth_method`\nwhich should correspond with one of the auth method from [the HVAC Client](https://hvac.readthedocs.io/en/latest/usage/auth_methods/index.html) (without the \"`auth_`\" prefix), e.g. `approle`. The remaining members\nshould match the parameters for the specified auth method.\n\n#### Example\n\n```json\n{\n \"vault_creds\": {\n \"role_id\": \"sample-role-id\",\n \"secret_id\": \"sample-secret-id\",\n \"auth_method\": \"approle\"\n }\n}\n```\n\n### Main Configuration\n\nThe main configuration should consist of the configuration sections you need **without** the secrets included (unless passthrough mode is desired)\nand a section named `vault_secrets`. In the `vault_secrets` section, the keys are dot separated paths for the keys to insert into your configuration,\nand the values are the path to the secret in Vault. Please see the `vault_secrets` usage section for the different ways to specify secrets.\n\nAdditionaly, a `vault_files` section is included to retrieve files from Vault and write them to disk. This is discouraged (minimizing the time that\nsecrets are persisted should be prefered), but included for use with legacy applications which require a file path for secrets (e.g. TLS certificates).\n\n#### Raw Config Example\n\n```json\n{\n \"website\": {\n \"host\": \"http://acme.com\",\n \"site-name\": \"Great Products for Coyotes\",\n \"tls-key\": \"/etc/web/acme.com.key\",\n \"tls-cert\": \"/etc/web/acme.com.crt\"\n },\n \"vault_secrets\": {\n \"website.db_user\": \"secret/mysql/customer.user\",\n \"website.db_pwd\": \"secret/mysql/customer.password\"\n },\n \"vault_files\": {\n \"website.tls-key\": \"secret/website/proxy.key\",\n \"website.tls-cert\": \"secret/website/proxy.cert\"\n }\n}\n```\n\n##### Resulting Dictionary Example:\n\n```json\n{\n \"website\": {\n \"host\": \"http://acme.com\",\n \"site-name\": \"great products\",\n \"tls-key\": \"/var/acme/acme.com.key\",\n \"tls-cert\": \"/var/acme/acme.com.crt\",\n \"db_user\": \"customer\",\n \"db_pwd\": \"customer-password\"\n },\n \"vault_files\": {\n \"website.tls-key\": \"secret/website/proxy.key\",\n \"website.tls-cert\": \"secret/website/proxy.cert\"\n }\n}\n````\n\n##### vault_secrets Usage\n\nA `vault_secrets` entry must have a `config key` and a `secret path`. The `config_key` is a dot separated path to the configuration item that should\nbe added or updated. The `secret_path` is the path where the secret resides in Vault. As an example:\n\n```json\n{\n \"website\": {},\n \"vault_secrets\": {\n \"website.db_user\": \"secret/mysql/customer\"\n } \n}\n```\n\nIn `vault_secrets`, `website.db_user` is the `config_key` and `secret/mysql/customer` is the `secret_path`. The key used on the `secret_path` in Vault\nwill be `db_user`.\n\nBy default, the final portional of the `config key` will be used as the key to the secret within Vault. However, it is possible to add a unique key\nwith a dot separator on the `secret_path`. By way of example:\n\n```json\n{\n \"website\": {},\n \"vault_secrets\": {\n \"website.db_user\": \"secret/mysql/customer.user\"\n } \n}\n```\nThis example takes the value named `user` from the `mysql/customer` secret and maps it onto the the `db_user` key of the `website` portion.\nThis enables drawing from the same secret across different configurations without forcing all of the `config_key` names to be the same. For example,\nif a cron job also required the `user` value from `mysql/customer.user` but its configuration named it `user`, you might end up with a configuration\nfile that looks like:\n\n```json\n{\n \"website\": {},\n \"vault_secrets\": {\n \"mailer_cron.user\": \"secret/mysql/customer.user\"\n } \n}\n```\n\n**Key-Value Store V2 Limitation**: You must include `data` after the mountpoint, for example, `secret/mysql/customer` should be\n`secret/data/mysql/customer` when using V2.\n\n##### vault_files Usage\n\n**Note** Where ever possible, prefer to handle secrets as strings and use them only in memory. Only use this mode when configuring for applications\nthat require the secret to be provided as a file (a common requirement for a TLS keyfile).\n\n**Note** Unlike `vault_secrets` the `vault_files` section is retained in the dictionary returned by vault_anyconfig, in order to retain the mapping\nwhen writing the final configuration to file (e.g. in the CLI).\n\n**Warning!** The `vault_files` functionality expects that it is being run as the user of the application, and must have appropriate permissions to\nthe files and location where files are to be stored.\n\n**Warning!** `vault_files` will happily overwrite your files, and mantains no backups.\n\n**Warning!** If the file location changes, it will not be deleted! Use responsibly.\n\nThere are two major ways to use the `vault_files` section. The first is to specify a file location directly, and the secret as the path.\nFor example:\n\n```json\n{\n \"vault_files\": {\n \"/var/acme/acme.com.crt\": \"secret/website/proxy.key\"\n }\n}\n```\n\nThe second method is to reference a key in the configuration. This avoids duplication of the file path in multiple parts of the configuration.\n\n```json\n{\n \"website\": {\n \"tls-key\": \"/etc/web/acme.com.key\",\n \"tls-cert\": \"/etc/web/acme.com.crt\",\n },\n \"vault_files\": {\n \"website.tls-key\": \"secret/website/proxy.key\",\n \"website.tls-cert\": \"secret/website/proxy.cert\"\n }\n}\n```\n\nBy default, `secret_path` uses `file` as the key within the Vault secret. However, the `secret_path` can use the same dot notation used in `vault_secrets` to specify the key, e.g. `secret/acme/secret-key.key`\n\n**Warning!** The `secret_path` string can only use a dot (`.`) if separating the path from the key. Extra dots will cause vault_anyconfig to throw an\nerror.\n\n**Key-Value Store V2 Limitation**: You must include `data` after the mountpoint, for example, `secret/website/proxy` should be\n`secret/data/website/proxy` when using V2.\n\n\n### Guidance for Configuration Files\n\nAlthough all three files can be combined into a single file, it is recommend that you separate out the `vault_creds` and `vault_config` sections into\ntheir own file(s) and use restrictive permissions on them, e.g. `400`, since the secrets required to access Vault must be present in these files.\n\n## Usage\n\n### Initialization\n\nVaultAnyconfig can be initalized in three ways (for two different modes):\n\n1. From a vault configuration file (see files and formatting)\n2. By specifying the parameters used in initializing an [HVAC client](https://github.com/hvac/hvac/blob/master/hvac/v1/__init__.py).\n3. By providing no parameters (or a configuration file with an empty `vault_config` section) in which case it is in passthrough mode, where secrets are **not** loaded from Vault.\n\n### Authentication With Vault\n\nYou can use `auto_auth` by providing a file as explained in the files and formatting section, or you can directly use the auth methods from\n[the HVAC Client](https://hvac.readthedocs.io/en/latest/usage/auth_methods/index.html). If passthrough mode is set, `auto_auth` will always return\ntrue, but the HVAC client methods will fail, so it is recommended to use `auto_auth` where possible.\n\n#### Loading/Saving Files with Keys Inserted\n\nSimply call the `load`, `loads`, `dump` or `dumps` methods as need. Invocation is the same as for directly calling the [anyconfig methods](https://python-anyconfig.readthedocs.io/en/latest/api/anyconfig.api.html#anyconfig.api.load).\n\n\n# Changelog\n\n## 0.0.1-dev (2019-04-05)\n\n* First release on PyPI.", "description_content_type": "text/markdown", "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/tomtom-international/vault-anyconfig", "keywords": "vault_anyconfig", "license": "Apache Software License 2.0", "maintainer": "", "maintainer_email": "", "name": "vault-anyconfig", "package_url": "https://pypi.org/project/vault-anyconfig/", "platform": "", "project_url": "https://pypi.org/project/vault-anyconfig/", "project_urls": { "Homepage": "https://github.com/tomtom-international/vault-anyconfig" }, "release_url": "https://pypi.org/project/vault-anyconfig/0.3.1/", "requires_dist": null, "requires_python": "", "summary": "Describe in a short sentence your Python package.", "version": "0.3.1" }, "last_serial": 5703522, "releases": { "0.0.1": [ { "comment_text": "", "digests": { "md5": "a3bdb96225f1605f65772e1cc6024693", "sha256": "ab66c3ac76d99f6b375a2e54748d265565843a4b7c97e25ce5d73cf381e15ead" }, "downloads": -1, "filename": "vault-anyconfig-0.0.1.tar.gz", "has_sig": false, "md5_digest": "a3bdb96225f1605f65772e1cc6024693", "packagetype": "sdist", "python_version": "source", "requires_python": ">3.5", "size": 8075, "upload_time": "2019-03-29T13:43:40", "url": "https://files.pythonhosted.org/packages/44/e4/c9fd353b2d400e24f28cbb594e3c9f96d10fde5b6400f2b873dc5bf493d1/vault-anyconfig-0.0.1.tar.gz" } ], "0.0.2": [ { "comment_text": "", "digests": { "md5": "7922ed9641f1e1e2b1acd02a73ab20ec", "sha256": "f5eb8f06ba9b11d1f14d8958768861762a2a64a4a0b0e607f3c6fb4d279d50f2" }, "downloads": -1, "filename": "vault-anyconfig-0.0.2.tar.gz", "has_sig": false, "md5_digest": "7922ed9641f1e1e2b1acd02a73ab20ec", "packagetype": "sdist", "python_version": "source", "requires_python": ">3.5", "size": 8015, "upload_time": "2019-03-29T13:57:28", "url": "https://files.pythonhosted.org/packages/6b/8d/26fcba7e0bfdfae9862bf188129b50711a5a10f67ac13502b93d6ce3a689/vault-anyconfig-0.0.2.tar.gz" } ], "0.0.3": [ { "comment_text": "", "digests": { "md5": "1ac66404548b5d1fe82a2e3b14d869d8", "sha256": "7074ac78ffd04fe1e37889a7167c9faab25bdea9ccfa8b9afefe2b7f16651c37" }, "downloads": -1, "filename": "vault-anyconfig-0.0.3.tar.gz", "has_sig": false, "md5_digest": "1ac66404548b5d1fe82a2e3b14d869d8", "packagetype": "sdist", "python_version": "source", "requires_python": ">3.5", "size": 8011, "upload_time": "2019-04-01T11:13:41", "url": "https://files.pythonhosted.org/packages/fd/bd/8b9c4883863ab54ef1d67ffee1cdc90177c9dab4820b6625510488436195/vault-anyconfig-0.0.3.tar.gz" } ], "0.1.0": [ { "comment_text": "", "digests": { "md5": "eba0f7a4be230fd02c93fef4de4cd6ae", "sha256": "746484465af5fb8cb9087c364557d938aff05121e133a16b158145089794ba2f" }, "downloads": -1, "filename": "vault-anyconfig-0.1.0.tar.gz", "has_sig": false, "md5_digest": "eba0f7a4be230fd02c93fef4de4cd6ae", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 23064, "upload_time": "2019-04-18T10:42:50", "url": "https://files.pythonhosted.org/packages/39/f2/2902512c1bebf717a40c26eb9277857ac38c80de3efb5a808d812c9be6ec/vault-anyconfig-0.1.0.tar.gz" } ], "0.2.0": [ { "comment_text": "", "digests": { "md5": "e2bf2badf84f049b6dcd068f173305af", "sha256": "af4a5cc93702043d65f5c06dd3fc80ba7af3378a7b7664fa545e1f602b46cb17" }, "downloads": -1, "filename": "vault-anyconfig-0.2.0.tar.gz", "has_sig": false, "md5_digest": "e2bf2badf84f049b6dcd068f173305af", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 23498, "upload_time": "2019-04-30T09:34:41", "url": "https://files.pythonhosted.org/packages/d4/af/5ab4162a422fb093ce6aca65bc6ed26ea3be37feddfa68cd9b8dc72cd7eb/vault-anyconfig-0.2.0.tar.gz" } ], "0.2.1": [ { "comment_text": "", "digests": { "md5": "c7eaebed523ec5cf163cae5c9c9c4f82", "sha256": "48d7760738052cd522e902956633bcc2505defb2ff8e35a5d1ab746ed8d72278" }, "downloads": -1, "filename": "vault-anyconfig-0.2.1.tar.gz", "has_sig": false, "md5_digest": "c7eaebed523ec5cf163cae5c9c9c4f82", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 24978, "upload_time": "2019-05-20T12:38:19", "url": "https://files.pythonhosted.org/packages/e9/9c/a09b9e1904eab114f8f96a59a387fd70a9ddec415881f45f2332b59f9b28/vault-anyconfig-0.2.1.tar.gz" } ], "0.2.2": [ { "comment_text": "", "digests": { "md5": "846119ed68a5ef32fa2874227eccd3ce", "sha256": "549dab5d372a9ac933c0b01a7e4cb02df040a2bc23fba635f099792165ab0855" }, "downloads": -1, "filename": "vault-anyconfig-0.2.2.tar.gz", "has_sig": false, "md5_digest": "846119ed68a5ef32fa2874227eccd3ce", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 25111, "upload_time": "2019-05-29T14:10:24", "url": "https://files.pythonhosted.org/packages/3c/66/ecc685578db8e8d623730de50ddf6a8604498d34b497e2ab595a2966febe/vault-anyconfig-0.2.2.tar.gz" } ], "0.3.0": [ { "comment_text": "", "digests": { "md5": "4310cac2554cb6c052c9d2c23bd5db19", "sha256": "87faea6c5fb2a002f20a333066bfa78e6cf2991f126a6dc4972e65b46090e82c" }, "downloads": -1, "filename": "vault-anyconfig-0.3.0.tar.gz", "has_sig": false, "md5_digest": "4310cac2554cb6c052c9d2c23bd5db19", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 25974, "upload_time": "2019-08-20T09:16:15", "url": "https://files.pythonhosted.org/packages/92/1f/9f27522ceb4f6fcf96f15fe921d18f0bef0e66dcab655eb15e94be146d88/vault-anyconfig-0.3.0.tar.gz" } ], "0.3.1": [ { "comment_text": "", "digests": { "md5": "17b003cf389a5c1b49da5958a2fa6936", "sha256": "bd98b86195288dfe3fc07490e5ff44c0ab0206957ebfd8c554fd38807651019d" }, "downloads": -1, "filename": "vault-anyconfig-0.3.1.tar.gz", "has_sig": false, "md5_digest": "17b003cf389a5c1b49da5958a2fa6936", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 26568, "upload_time": "2019-08-20T14:07:28", "url": "https://files.pythonhosted.org/packages/e9/77/d318276cc16989d60f58e8166ea6c142833863e8f53e1d570721117f469b/vault-anyconfig-0.3.1.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "17b003cf389a5c1b49da5958a2fa6936", "sha256": "bd98b86195288dfe3fc07490e5ff44c0ab0206957ebfd8c554fd38807651019d" }, "downloads": -1, "filename": "vault-anyconfig-0.3.1.tar.gz", "has_sig": false, "md5_digest": "17b003cf389a5c1b49da5958a2fa6936", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 26568, "upload_time": "2019-08-20T14:07:28", "url": "https://files.pythonhosted.org/packages/e9/77/d318276cc16989d60f58e8166ea6c142833863e8f53e1d570721117f469b/vault-anyconfig-0.3.1.tar.gz" } ] }