vaultex v1.0.1 Vaultex.Client View Source
Provides a functionality to authenticate and read from a vault endpoint.
Link to this section Summary
Functions
Authenticates with vault using a tuple. This can be executed before attempting to read secrets from vault.
Returns a specification to start this module under a supervisor.
Deletes a secret in Vault given a path.
Callback implementation for GenServer.init/1
.
Reads a secret from vault given a path.
Reads a dynamic secret from vault given a path and returns the secret along with lease information.
Renews a lease for a dynamic secret
Writes a secret to Vault given a path.
Link to this section Functions
Specs
auth( method :: :approle, credentials :: {role_id :: String.t(), secret_id :: String.t()}, timeout :: String.t() | nil ) :: {:ok | :error, any()}
auth( method :: :app_id, credentials :: {app_id :: String.t(), user_id :: String.t()}, timeout :: String.t() | nil ) :: {:ok | :error, any()}
auth( method :: :userpass, credentials :: {username :: String.t(), password :: String.t()}, timeout :: String.t() | nil ) :: {:ok | :error, any()}
auth( method :: :github, credentials :: {github_token :: String.t()}, timeout :: String.t() | nil ) :: {:ok | :error, any()}
auth( method :: :token, credentials :: {token :: String.t()}, timeout :: String.t() | nil ) :: {:ok, :authenticated}
Authenticates with vault using a tuple. This can be executed before attempting to read secrets from vault.
Parameters
- method: Auth backend to use for authenticating, can be one of
:approle, :app_id, :userpass, :github, :token
- credentials: A tuple or map used for authentication depending on the method,
{role_id, secret_id}
for:approle
,{app_id, user_id}
for:app_id
,{username, password}
for:userpass
,{github_token}
for:github
,{token}
for:token
, or json-encodable map for unhandled methods, i.e.%{jwt: "jwt", role: "role"}
for:kubernetes
- timeout: A integer greater than zero which specifies how many milliseconds to wait for a reply
Examples
iex> Vaultex.Client.auth(:approle, {role_id, secret_id}, 5000)
{:ok, :authenticated}
iex> Vaultex.Client.auth(:app_id, {app_id, user_id})
{:ok, :authenticated}
iex> Vaultex.Client.auth(:userpass, {username, password})
{:error, ["Something didn't work"]}
iex> Vaultex.Client.auth(:github, {github_token})
{:ok, :authenticated}
iex> Vaultex.Client.auth(:jwt, %{jwt: jwt, role: role})
{:ok, :authenticated}
Returns a specification to start this module under a supervisor.
See Supervisor
.
Deletes a secret in Vault given a path.
Parameters
- key: A String path where the secret will be deleted.
- auth_method and credentials: See Vaultex.Client.auth
- timeout: A integer greater than zero which specifies how many milliseconds to wait for a reply
Examples
iex> Vaultex.Client.delete("secret/foo", :app_role, {role_id, secret_id}, 5000)
:ok
iex> Vaultex.Client.delete("secret/foo", :app_id, {app_id, user_id})
:ok
Callback implementation for GenServer.init/1
.
Reads a secret from vault given a path.
Parameters
- key: A String path to be used for querying vault.
- auth_method and credentials: See Vaultex.Client.auth
- timeout: A integer greater than zero which specifies how many milliseconds to wait for a reply
Examples
iex> Vaultex.Client.read("secret/foobar", :approle, {role_id, secret_id}, 5000)
{:ok, %{"value" => "bar"}}
iex> Vaultex.Client.read("secret/foo", :app_id, {app_id, user_id})
{:ok, %{"value" => "bar"}}
iex> Vaultex.Client.read("secret/baz", :userpass, {username, password})
{:error, ["Key not found"]}
iex> Vaultex.Client.read("secret/bar", :github, {github_token})
{:ok, %{"value" => "bar"}}
iex> Vaultex.Client.read("secret/bar", :plugin_defined_auth, credentials)
{:ok, %{"value" => "bar"}}
Reads a dynamic secret from vault given a path and returns the secret along with lease information.
Parameters
- key: A String path to be used for querying vault.
- auth_method and credentials: See Vaultex.Client.auth
- timeout: A integer greater than zero which specifies how many milliseconds to wait for a reply
Examples
iex> Vaultex.Client.read_dynamic("secret/dynamic/foobar", :approle, {role_id, secret_id}, 5000)
{:ok, %{"data" => %{"value" => "bar"}, "lease_duration" => 60, "lease_id" => "secret/dynamic/foo/b4z", "renewable" => true}}
iex> Vaultex.Client.read_dynamic("secret/dynamic/foo", :app_id, {app_id, user_id})
{:ok, %{"data" => %{"value" => "bar"}, "lease_duration" => 60, "lease_id" => "secret/dynamic/foo/b4z", "renewable" => true}}
iex> Vaultex.Client.read_dynamic("secret/dynamic/baz", :userpass, {username, password})
{:error, ["Key not found"]}
iex> Vaultex.Client.read_dynamic("secret/dynamic/bar", :github, {github_token})
{:ok, %{"data" => %{"value" => "bar"}, "lease_duration" => 60, "lease_id" => "secret/dynamic/foo/b4z", "renewable" => true}}
iex> Vaultex.Client.read_dynamic("secret/dynamic/bar", :plugin_defined_auth, credentials)
{:ok, %{"data" => %{"value" => "bar"}, "lease_duration" => 60, "lease_id" => "secret/dynamic/foo/b4z", "renewable" => true}}
renew_lease(lease_id, increment, auth_method, credentials, timeout \\ 5000)
View SourceRenews a lease for a dynamic secret
Parameters
- lease_id: A String that is the lease ID returned when reading a dynamic secret
- increment: An Integer that represents the time in seconds to extend the lease by
- auth_method and credentials: See Vaultex.Client.auth
- timeout: A integer greater than zero which specifies how many milliseconds to wait for a reply
Examples
iex> Vaultex.Client.renew_lease("secret/dynamic/foo/b4z", 100, :app_role, {role_id, secret_id}, 5000)
{:ok, %{"lease_id" => "secret/dynamic/foo/b4z", "lease_duration" => 160, "renewable" => true}}
Writes a secret to Vault given a path.
Parameters
- key: A String path where the secret will be written.
- value: A String => String map that will be stored in Vault
- auth_method and credentials: See Vaultex.Client.auth
- timeout: A integer greater than zero which specifies how many milliseconds to wait for a reply
Examples
iex> Vaultex.Client.write("secret/foo", %{"value" => "bar"}, :app_role, {role_id, secret_id}, 5000)
:ok
iex> Vaultex.Client.write("secret/foo", %{"value" => "bar"}, :app_id, {app_id, user_id})
:ok