Class: Vault::AppRole

Inherits:
Request show all
Defined in:
lib/vault/api/approle.rb

Instance Attribute Summary

Attributes inherited from Request

#client

Instance Method Summary collapse

Methods inherited from Request

#initialize, #inspect, #to_s

Methods included from EncodePath

encode_path

Constructor Details

This class inherits a constructor from Vault::Request

Instance Method Details

#create_secret_id(role_name, options = {}) ⇒ true

Generates and issues a new SecretID on an existing AppRole.

Examples:

Generate a new SecretID

result = Vault.approle.create_secret_id("testrole") #=> #<Vault::Secret lease_id="...">
result.data[:secret_id] #=> "841771dc-11c9-bbc7-bcac-6a3945a69cd9"

Assign a custom SecretID

result = Vault.approle.create_secret_id("testrole", {
  secret_id: "testsecretid"
}) #=> #<Vault::Secret lease_id="...">
result.data[:secret_id] #=> "testsecretid"

Parameters:

  • role_name (String)

    The name of the AppRole

  • options (Hash) (defaults to: {})

Options Hash (options):

  • :secret_id (String)

    SecretID to be attached to the Role. If not set, then the new SecretID will be generated

  • :metadata (Hash<String, String>)

    Metadata to be tied to the SecretID. This should be a JSON-formatted string containing the metadata in key-value pairs. It will be set on tokens issued with this SecretID, and is logged in audit logs in plaintext.

Returns:

  • (true) 


160
161
162
163
164
165
166
167
168
 
# File 'lib/vault/api/approle.rb', line 160

def create_secret_id(role_name, options = {})
  headers = extract_headers!(options)
  if options[:secret_id]
    json = client.post("/v1/auth/approle/role/#{encode_path(role_name)}/custom-secret-id", JSON.fast_generate(options), headers)
  else
    json = client.post("/v1/auth/approle/role/#{encode_path(role_name)}/secret-id", JSON.fast_generate(options), headers)
  end
  return Secret.decode(json)
end

#delete_role(name) ⇒ Object

Deletes the AppRole with the given name. If an AppRole does not exist, vault will not return an error.

Examples:

Vault.approle.delete_role("testrole") #=> true

Parameters:

  • name (String)

    the name of the certificate



130
131
132
133
 
# File 'lib/vault/api/approle.rb', line 130

def delete_role(name)
  client.delete("/v1/auth/approle/role/#{encode_path(name)}")
  return true
end

#role(name) ⇒ Secret?

Gets the AppRole by the given name. If an AppRole does not exist by that name, nil is returned.

Examples:

Vault.approle.role("testrole") #=> #<Vault::Secret lease_id="...">

Returns:



72
73
74
75
76
77
78
 
# File 'lib/vault/api/approle.rb', line 72

def role(name)
  json = client.get("/v1/auth/approle/role/#{encode_path(name)}")
  return Secret.decode(json)
rescue HTTPError => e
  return nil if e.code == 404
  raise
end

#role_id(name) ⇒ Secret?

Reads the RoleID of an existing AppRole. If an AppRole does not exist by that name, nil is returned.

Examples:

Vault.approle.role_id("testrole") #=> #<Vault::Secret lease_id="...">

Returns:



102
103
104
105
106
107
108
 
# File 'lib/vault/api/approle.rb', line 102

def role_id(name)
  json = client.get("/v1/auth/approle/role/#{encode_path(name)}/role-id")
  return Secret.decode(json).data[:role_id]
rescue HTTPError => e
  return nil if e.code == 404
  raise
end

#roles(options = {}) ⇒ Array<String>

Gets the list of AppRoles in vault auth backend.

Examples:

Vault.approle.roles #=> ["testrole"]

Returns:

  • (Array<String>) 


86
87
88
89
90
91
92
93
 
# File 'lib/vault/api/approle.rb', line 86

def roles(options = {})
  headers = extract_headers!(options)
  json = client.list("/v1/auth/approle/role", options, headers)
  return Secret.decode(json).data[:keys] || []
rescue HTTPError => e
  return [] if e.code == 404
  raise
end

#secret_id(role_name, secret_id) ⇒ Secret?

Reads out the properties of a SecretID assigned to an AppRole. If the specified SecretID don’t exist, nil is returned.

Examples:

Vault.approle.role("testrole", "841771dc-11c9-...") #=> #<Vault::Secret lease_id="...">

Parameters:

  • role_name (String)

    The name of the AppRole

  • secret_id (String)

    SecretID belonging to AppRole

Returns:



182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
 
# File 'lib/vault/api/approle.rb', line 182

def secret_id(role_name, secret_id)
  opts = { secret_id: secret_id }
  json = client.post("/v1/auth/approle/role/#{encode_path(role_name)}/secret-id/lookup", JSON.fast_generate(opts), {})
  return nil unless json
  return Secret.decode(json)
rescue HTTPError => e
  if e.code == 404 || e.code == 405
    begin
      json = client.get("/v1/auth/approle/role/#{encode_path(role_name)}/secret-id/#{encode_path(secret_id)}")
      return Secret.decode(json)
    rescue HTTPError => e
      return nil if e.code == 404
      raise e
    end
  end

  raise
end

#secret_id_accessors(role_name, options = {}) ⇒ Array<String>

Lists the accessors of all the SecretIDs issued against the AppRole. This includes the accessors for “custom” SecretIDs as well. If there are no SecretIDs against this role, an empty array will be returned.

Examples:

Vault.approle.secret_ids("testrole") #=> ["ce102d2a-...", "a1c8dee4-..."]

Returns:

  • (Array<String>) 


209
210
211
212
213
214
215
216
 
# File 'lib/vault/api/approle.rb', line 209

def secret_id_accessors(role_name, options = {})
  headers = extract_headers!(options)
  json = client.list("/v1/auth/approle/role/#{encode_path(role_name)}/secret-id", options, headers)
  return Secret.decode(json).data[:keys] || []
rescue HTTPError => e
  return [] if e.code == 404
  raise
end

#set_role(name, options = {}) ⇒ true

Creates a new AppRole or update an existing AppRole with the given name and attributes.

Examples:

Vault.approle.set_role("testrole", {
  secret_id_ttl: "10m",
  token_ttl:     "20m",
  policies:      "default",
  period:        3600,
}) #=> true

Parameters:

  • name (String)

    The name of the AppRole

  • options (Hash) (defaults to: {})

Options Hash (options):

  • :bind_secret_id (Boolean)

    Require secret_id to be presented when logging in using this AppRole.

  • :bound_cidr_list (String)

    Comma-separated list of CIDR blocks. Specifies blocks of IP addresses which can perform the login operation.

  • :policies (String)

    Comma-separated list of policies set on tokens issued via this AppRole.

  • :secret_id_num_uses (String)

    Number of times any particular SecretID can be used to fetch a token from this AppRole, after which the SecretID will expire.

  • :secret_id_ttl (Fixnum, String)

    The number of seconds or a golang-formatted timestamp like “60m” after which any SecretID expires.

  • :token_ttl (Fixnum, String)

    The number of seconds or a golang-formatted timestamp like “60m” to set as the TTL for issued tokens and at renewal time.

  • :token_max_ttl (Fixnum, String)

    The number of seconds or a golang-formatted timestamp like “60m” after which the issued token can no longer be renewed.

  • :period (Fixnum, String)

    The number of seconds or a golang-formatted timestamp like “60m”. If set, the token generated using this AppRole is a periodic token. So long as it is renewed it never expires, but the TTL set on the token at each renewal is fixed to the value specified here. If this value is modified, the token will pick up the new value at its next renewal.

Returns:

  • (true) 


59
60
61
62
63
 
# File 'lib/vault/api/approle.rb', line 59

def set_role(name, options = {})
  headers = extract_headers!(options)
  client.post("/v1/auth/approle/role/#{encode_path(name)}", JSON.fast_generate(options), headers)
  return true
end

#set_role_id(name, role_id) ⇒ true

Updates the RoleID of an existing AppRole to a custom value.

Examples:

Vault.approle.set_role_id("testrole") #=> true

Returns:

  • (true) 


116
117
118
119
120
 
# File 'lib/vault/api/approle.rb', line 116

def set_role_id(name, role_id)
  options = { role_id: role_id }
  client.post("/v1/auth/approle/role/#{encode_path(name)}/role-id", JSON.fast_generate(options))
  return true
end