Skip to content

Python#

Python can be used to retrieve secrets from Vault via an API call to Vault with the python hvac module. The most straight forward way to do this is using approle authentication.

Vault Policies#

Teams are responsible for setting up policies to give python access to specific secrets or paths. Use the following CLI commands to setup a role to read any secrets at secret/python/* or a variation of the terraform code examples.

Bash
vault policy write approle_python_access_policy - <<EOF
path "secret/data/python/*" {
  capabilities = ["create", "read", "update", "patch", "delete"]
}
EOF

Approle#

In order for python to connect to vault, it must authenticate. To create an approle, use the following CLI command or a variation of the terraform code examples and associate the policy that you created in the last step:

Bash
vault write auth/approle/role/python \
  token_policies="default,approle_python_access_policy"

role_id & secret_id#

Python will use a role_id & secret_id to authenticate to vault that will need to be retrieved:

Bash
# Read role-id
vault read auth/approle/role/python/role-id
# Or set environment variable for python directly
export VAULT_ROLE_ID=$(vault read -format=json auth/approle/role/python/role-id | jq -r '.data.role_id')

# Create a secret-id
vault write -f auth/approle/role/python/secret-id
# Or set environment variable for python directly
export VAULT_SECRET_ID=$(vault write -format=json -f auth/approle/role/python/secret-id | jq -r '.data.secret_id')

Python hvac Module#

Install the python hvac module on the server that will be reading/writing vault secrets. The command will need to be tailored for the specific version and setup of python/pip.

Bash
pip install hvac

Basic Vault Read Example#

Python
import hvac
import os

# Function to authenticate with Vault using AppRole
def authenticate_vault(client, role_id, secret_id):
    response = client.auth.approle.login(
        role_id=role_id,
        secret_id=secret_id
    )
    return response['auth']['client_token']

# Function to read a secret from Vault
def read_secret(client, path):
    secret = client.secrets.kv.v2.read_secret_version(
        path=path,
        raise_on_deleted_version=False) # https://github.com/hvac/hvac/pull/907
    return secret['data']['data']

# Function to write a secret to Vault
def write_secret(client, path, secret_data):
    client.secrets.kv.v2.create_or_update_secret(
        path=path,
        secret=secret_data,
    )

def main():

    # Override the UMN vault private instance by specifying VAULT_ADDR environment variable
    vault_url = os.getenv('VAULT_ADDR', 'https://hcp-vault-private-vault-fc507e0d.5d5b1f21.z1.hashicorp.cloud:8200/')

    # Set environment variables for VAULT_ROLE_ID & VAULT_SECRET_ID
    role_id = os.getenv('VAULT_ROLE_ID')
    secret_id = os.getenv('VAULT_SECRET_ID')

    # Specify vault namespace as environment variable or use default ('admin/CESI')
    namespace = os.getenv('VAULT_NAMESPACE', 'admin/CESI')

    # Initialize the Vault client
    client = hvac.Client(
        url=vault_url,
        namespace=namespace,
    )

    # Authenticate with Vault
    client.token = authenticate_vault(client, role_id, secret_id)

    # Define the secret path and data
    secret_path = 'python/test'
    secret_data = {'password': 'ABCD1234'}

    # Write the secret to Vault
    write_secret(client, secret_path, secret_data)
    print(f'Secret written to {secret_path}')

    # Read the secret from Vault
    secret = read_secret(client, secret_path)
    print(f'Secret read from {secret_path}: {secret}')

if __name__ == '__main__':
    main()