Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
new_method=api.auth_methods.Aws.read_role,
)
def get_ec2_role(self, role, mount_point='aws-ec2'):
"""GET /auth//role/
:param role:
:type role:
:param mount_point:
:type mount_point:
:return:
:rtype:
"""
return self._adapter.get('/v1/auth/{0}/role/{1}'.format(mount_point, role)).json()
new_method=api.auth_methods.Aws.create_role_tags,
)
def create_ec2_role_tag(self, role, policies=None, max_ttl=None, instance_id=None,
disallow_reauthentication=False, allow_instance_migration=False, mount_point='aws-ec2'):
"""POST /auth//role//tag
:param role:
:type role:
:param policies:
:type policies:
:param max_ttl:
:type max_ttl:
:param instance_id:
:type instance_id:
:param disallow_reauthentication:
:type disallow_reauthentication:
:param allow_instance_migration:
new_method=api.auth_methods.Aws.list_certificate_configurations,
)
def list_vault_ec2_certificate_configurations(self, mount_point='aws-ec2'):
"""GET /auth//config/certificates?list=true
:param mount_point:
:type mount_point:
:return:
:rtype:
"""
params = {'list': True}
return self._adapter.get('/v1/auth/{0}/config/certificates'.format(mount_point), params=params).json()
new_method=api.auth_methods.Aws.configure,
)
def create_vault_ec2_client_configuration(self, access_key, secret_key, endpoint=None, mount_point='aws-ec2'):
"""POST /auth//config/client
Configure the credentials required to perform API calls to AWS as well as custom endpoints to talk to AWS APIs.
The instance identity document fetched from the PKCS#7 signature will provide the EC2 instance ID. The
credentials configured using this endpoint will be used to query the status of the instances via
DescribeInstances API. If static credentials are not provided using this endpoint, then the credentials will be
retrieved from the environment variables AWS_ACCESS_KEY, AWS_SECRET_KEY and AWS_REGION respectively. If the
credentials are still not found and if the method is configured on an EC2 instance with metadata querying
capabilities, the credentials are fetched automatically
:param access_key: AWS Access key with permissions to query AWS APIs. The permissions required depend on the
specific configurations. If using the iam auth method without inferencing, then no credentials are
necessary. If using the ec2 auth method or using the iam auth method with inferencing, then these
credentials need access to ec2:DescribeInstances. If additionally a bound_iam_role is specified, then these
new_method=api.auth_methods.Aws.delete_config,
)
def delete_vault_ec2_client_configuration(self, mount_point='aws-ec2'):
"""DELETE /auth//config/client
:param mount_point:
:type mount_point:
:return:
:rtype:
"""
return self._adapter.delete('/v1/auth/{0}/config/client'.format(mount_point))
new_method=api.auth_methods.Aws.read_config,
)
def get_vault_ec2_client_configuration(self, mount_point='aws-ec2'):
"""GET /auth//config/client
:param mount_point:
:type mount_point:
:return:
:rtype:
"""
return self._adapter.get('/v1/auth/{0}/config/client'.format(mount_point)).json()
new_method=api.auth_methods.Aws.iam_login,
)
def auth_aws_iam(self, access_key, secret_key, session_token=None, header_value=None, mount_point='aws', role='', use_token=True, region='us-east-1'):
"""POST /auth//login
:param access_key: AWS IAM access key ID
:type access_key: str
:param secret_key: AWS IAM secret access key
:type secret_key: str
:param session_token: Optional AWS IAM session token retrieved via a GetSessionToken AWS API request.
see: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html
:type session_token: str
:param header_value: Vault allows you to require an additional header, X-Vault-AWS-IAM-Server-ID, to be present
to mitigate against different types of replay attacks. Depending on the configuration of the AWS auth
backend, providing a argument to this optional parameter may be required.
:type header_value: str
:param mount_point: The "path" the AWS auth backend was mounted on. Vault currently defaults to "aws". "aws-ec2"
new_method=api.auth_methods.Aws.create_role,
)
def create_ec2_role(self, role, bound_ami_id=None, bound_account_id=None, bound_iam_role_arn=None,
bound_iam_instance_profile_arn=None, bound_ec2_instance_id=None, bound_region=None,
bound_vpc_id=None, bound_subnet_id=None, role_tag=None, ttl=None, max_ttl=None, period=None,
policies=None, allow_instance_migration=False, disallow_reauthentication=False,
resolve_aws_unique_ids=None, mount_point='aws-ec2'):
"""POST /auth//role/
:param role:
:type role:
:param bound_ami_id:
:type bound_ami_id:
:param bound_account_id:
:type bound_account_id:
:param bound_iam_role_arn:
:type bound_iam_role_arn:
new_method=api.auth_methods.Aws.ec2_login,
)
def auth_ec2(self, pkcs7, nonce=None, role=None, use_token=True, mount_point='aws-ec2'):
"""POST /auth//login
:param pkcs7: PKCS#7 version of an AWS Instance Identity Document from the EC2 Metadata Service.
:type pkcs7: str.
:param nonce: Optional nonce returned as part of the original authentication request. Not required if the backend
has "allow_instance_migration" or "disallow_reauthentication" options turned on.
:type nonce: str.
:param role: Identifier for the AWS auth backend role being requested.
:type role: str.
:param use_token: If True, uses the token in the response received from the auth request to set the "token"
attribute on the current Client class instance.
:type use_token: bool.
:param mount_point: The "path" the AWS auth backend was mounted on. Vault currently defaults to "aws". "aws-ec2"
is the default argument for backwards comparability within this module.
new_method=api.auth_methods.Aws.list_roles,
)
def list_ec2_roles(self, mount_point='aws-ec2'):
"""GET /auth//roles?list=true
:param mount_point:
:type mount_point:
:return:
:rtype:
"""
try:
return self._adapter.get('/v1/auth/{0}/roles'.format(mount_point), params={'list': True}).json()
except exceptions.InvalidPath:
return None