OwlDocsVault API Integration
Guide to using Vault's API for secure secrets with Python and Ansible.
Vault API Integration
Welcome to the Vault API Integration guide. This page will help you securely manage secrets using Vault's API, with practical examples in Python.
Using Vault with Python
This section demonstrates how to interact with HashiCorp Vault using Python. We'll cover authentication, storing secrets, and retrieving secrets securely with the hvac library.
Prerequisites
- Python 3.x installed
- The
hvaclibrary (pip install hvac) - Access to a running Vault server
Authentication
Before interacting with Vault, you need to authenticate and obtain a token. Below is an example of how to authenticate to Vault using the hvac library in Python :
import hvac
import getpass
def authenticate_vault(vault_url, username, password):
# Create a client instance
client = hvac.Client(url=vault_url)
# Authenticate using Userpass
try:
# Perform the authentication
auth_response = client.auth.userpass.login(
username=username,
password=password
)
# Retrieve the token
token = auth_response['auth']['client_token']
print(f"Token: {token}")
return token
except hvac.exceptions.InvalidRequest as e:
print("Invalid request:", e)
except Exception as e:
print("An error occurred:", e)
if __name__ == "__main__":
# Change to your Vault server URL
vault_url = 'http://127.0.0.1:8200'
username = input("Enter your username: ")
password = getpass.getpass("Enter your password: ")
# Authenticate and get the token
token = authenticate_vault(vault_url, username, password)You can now use this token to retrieve or store data in Vault.
Retrieve Secret
Once you have authenticated and obtained a token, you can use it to securely retrieve secrets from Vault. Here is an example using the hvac library in Python:
import hvac
import getpass
def authenticate_vault(vault_url, username, password):
# Create a client instance
client = hvac.Client(url=vault_url)
# Authenticate using Userpass
try:
# Perform the authentication
auth_response = client.auth.userpass.login(
username=username,
password=password
)
# Retrieve the token
token = auth_response['auth']['client_token']
print(f"Token: {token}")
return token
except hvac.exceptions.InvalidRequest as e:
print("Invalid request:", e)
except Exception as e:
print("An error occurred:", e)
def retrieve_secret(vault_url, token, secret_path):
client = hvac.Client(url=vault_url, token=token)
try:
secret_response = client.secrets.kv.v2.read_secret_version(
path=secret_path.strip(),
raise_on_deleted_version=True
)
return secret_response['data']['data']
except hvac.exceptions.InvalidPath as e:
print(f"Secret path not found: {e}")
except Exception as e:
print(f"An error occurred while retrieving the secret: {e}")
return None
if __name__ == "__main__":
# Change to your Vault server URL
vault_url = 'http://127.0.0.1:8200'
username = input("Enter your username: ")
password = getpass.getpass("Enter your password: ")
# Authenticate and get the token
token = authenticate_vault(vault_url, username, password)
# Example: Retrieve a secret
secret_path = 'my_path'
secret = retrieve_secret(vault_url, token, secret_path)
if secret is not None:
print(f"Secret data: {secret}") Using Vault with Other Tools
In addition to Python, you can interact with Vault using a variety of tools such as Ansible and Bash. The following sections provide examples and guidance for integrating Vault into your automation workflows with these tools.
Ansible
For detailed instructions on integrating Vault with Ansible, please refer to the dedicated guide: Ansible.
Bash
You can also interact with Vault using Bash and the official Vault CLI.