Python3 using HVAC with “approle” authentication to pull secret from Hashivault #748

CTinMich · 2021-07-29T22:11:18Z

CTinMich
Jul 29, 2021

Need some help please!!!

I have working code to pull a secret out of Hashi using the Management token, but... I need to switch this around to use the "approle" type authentication and do not understand the authentication differences.

My original code used something like this:

def vault(KEY):
VAULT_SERVER = "https://myserver.nowhere.com:8243"
TOKEN = "s.xxxxxxxxxxxxxxxxxxxxxxxx"
PATH = "/secret/vault/200245/mbop200245/nonprod/testautomation/dev"
CLIENT = hvac.Client(url=VAULT_SERVER, token=TOKEN)
VAULT = CLIENT.read(path=PATH)
SECRETS = VAULT['data']
ID_PASSWORD = SECRETS[KEY]
return ID_PASSWORD

Anyone have any code examples of using hvac with "approle"? I know how to do this in API (using Insomnia) but struggling with what hvac expects... and where...

Thanks!!!

Answered by Tylerlhess

Jul 29, 2021

First off I recommend doing a

CLIENT.is_authenticated()

just to make sure that your token is working.
Second all the approle stuff I have seen you have the role-id and use that to request the secret-id (if you don't have it and have secret_bound_cidr on the role) then authenticate with role-id, secret-id

Mostly from the docs....

import hvac
client = hvac.Client()

resp = client.auth.approle.generate_secret_id(
role_name='some-role',
cidr_list=['127.0.0.1/32'],
)

secret_id = resp["body"]["secret_id"]

client.auth.approle.login(
role_id='<some_role_id>',
secret_id='<some_secret_id>',
)

View full answer

Tylerlhess · 2021-07-29T22:28:27Z

Tylerlhess
Jul 29, 2021

First off I recommend doing a

CLIENT.is_authenticated()

just to make sure that your token is working.
Second all the approle stuff I have seen you have the role-id and use that to request the secret-id (if you don't have it and have secret_bound_cidr on the role) then authenticate with role-id, secret-id

Mostly from the docs....

import hvac
client = hvac.Client()

resp = client.auth.approle.generate_secret_id(
role_name='some-role',
cidr_list=['127.0.0.1/32'],
)

secret_id = resp["body"]["secret_id"]

client.auth.approle.login(
role_id='<some_role_id>',
secret_id='<some_secret_id>',
)

2 replies

CTinMich Jul 30, 2021
Author

Hello Tyler,

Thank you so much for taking the time to reply!!! I am very new to programming and the Docs with out full example are difficult for me to understand (for now). I guess my biggest confusion is on the difference of the "hvac.Client" command... When using just the management token I toss it the url and token. The "client.auth.approle.login" does not seem to use the "url=" (?) so I am trying to understand what is needed to define the url for it to use to connect when trying to use the approle option.

CTinMich Jul 30, 2021
Author

Actually got it to work...

def vault_with_approle(KEY):
print('Not working yet..."')
VAULT_SERVER = "https://myserver.nowhere.com:8243"
PATH = "/secret/vault/200245/mbop200245/nonprod/testautomation/dev"
CLIENT = hvac.Client(url=VAULT_SERVER) #, verify=False)
CLIENT.auth.approle.login(
role_id='xxxxxxxxxxxxxxxxxxxxxxx',
secret_id='xxxxxxxxxxxxxxxxx'
)
VAULT = CLIENT.read(path=PATH)
SECRETS = VAULT['data']
ID_PASSWORD = SECRETS[KEY]
return ID_PASSWORD

Console Out:

app_id_test: 3xxxxxxxxxxxxxxxxx

Process finished with exit code 0

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Python3 using HVAC with “approle” authentication to pull secret from Hashivault #748

{{title}}

Replies: 1 comment 2 replies

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

Python3 using HVAC with “approle” authentication to pull secret from Hashivault #748

CTinMich Jul 29, 2021

Replies: 1 comment · 2 replies

Tylerlhess Jul 29, 2021

CTinMich Jul 30, 2021 Author

CTinMich Jul 30, 2021 Author

CTinMich
Jul 29, 2021

Replies: 1 comment 2 replies

Tylerlhess
Jul 29, 2021

CTinMich Jul 30, 2021
Author

CTinMich Jul 30, 2021
Author