A generic Vault.Engine adapter. Most of the vault secret engines don't use a wildly different API, and can be handled with a single adapter.

request-details

Request Details

By default, read runs a GET request, write does a POST, list does a GET with an appended ?list=true, and delete runs a DELETE. The options below should give you additional flexibility.

request-options

Request Options:

• :method - one of :get, :put, :post, :options, :patch, :head
• :full_response - if true, returns the full response body on success, rather than just the data key. Defaults to false,
• :query_params - query params for the request. Defaults to %{} (no params)
• :body - body to be sent along with the request. Defaults to %{} (no body) on read, or the passed in value on write

examples

Examples

Create a generic vault client:

=

Vault.new(
  host: System.get_env("VAULT_ADDR"),
  auth: Vault.Auth.Token,
  engine: Vault.Engine.Generic,
  http: Vault.HTTP.Tesla,
) |> Vault.auth(%{token: "token"})

Read/Write from the cubbyhole secret engine.

= Vault.write(vault, "cubbyhole/hello", %{"foo" => "bar"}) {:ok, %{"foo" => "bar"}} = Vault.read(vault, "cubbyhole/hello")

Read/Write from the ssh secret engine.

# create a key {:ok, _} = Vault.write(vault, "ssh/keys/test", %{key: key})

# create a role for that key {:ok, _} =

Vault.write(vault, "ssh/roles/test", %{
  key: "test",
  key_type: "dynamic",
  default_user: "tester",
  admin_user: "admin_tester"
})

# read a role, and return the full response {:ok, %{ "data" => data } } =

Vault.read(vault, "ssh-client-signer/roles/test", full_response: true)

Options:

• :method - one of :get, :put, :post, :options, :patch, :head
• :full_response - if true, returns the full response body on success, rather than just the data key. Defaults to false,
• :params - query params for the request. Defaults to %{} (no params)
• :body - body to be sent along with the request. Defaults to %{} (no body) on read, or the passed in value on write