Class: Vault::AppRole

Inherits:
Request show all
Defined in:
lib/vault/api/approle.rb

Instance Attribute Summary

Attributes inherited from Request

#client

Instance Method Summary collapse

Methods inherited from Request

#initialize, #inspect, #to_s

Methods included from EncodePath

encode_path

Constructor Details

This class inherits a constructor from Vault::Request

Instance Method Details

#create_secret_id(role_name, options = {}) ⇒ true

Generates and issues a new SecretID on an existing AppRole.

Examples:

Generate a new SecretID

result = Vault.approle.create_secret_id("testrole") #=> #<Vault::Secret lease_id="...">
result.data[:secret_id] #=> "841771dc-11c9-bbc7-bcac-6a3945a69cd9"

Assign a custom SecretID

result = Vault.approle.create_secret_id("testrole", {
  secret_id: "testsecretid"
}) #=> #<Vault::Secret lease_id="...">
result.data[:secret_id] #=> "testsecretid"

Parameters:

  • role_name (String)

    The name of the AppRole

  • options (Hash) (defaults to: {})

Options Hash (options):

  • :secret_id (String)

    SecretID to be attached to the Role. If not set, then the new SecretID will be generated

  • :metadata (Hash<String, String>)

    Metadata to be tied to the SecretID. This should be a JSON-formatted string containing the metadata in key-value pairs. It will be set on tokens issued with this SecretID, and is logged in audit logs in plaintext.

Returns:

  • (true) 


163
164
165
166
167
168
169
170
171
 
# File 'lib/vault/api/approle.rb', line 163

def create_secret_id(role_name, options = {})
  headers = extract_headers!(options)
  if options[:secret_id]
    json = client.post("/v1/auth/approle/role/#{encode_path(role_name)}/custom-secret-id", JSON.fast_generate(options), headers)
  else
    json = client.post("/v1/auth/approle/role/#{encode_path(role_name)}/secret-id", JSON.fast_generate(options), headers)
  end
  return Secret.decode(json)
end

#delete_role(name) ⇒ Object

Deletes the AppRole with the given name. If an AppRole does not exist, vault will not return an error.

Examples:

Vault.approle.delete_role("testrole") #=> true

Parameters:

  • name (String)

    the name of the certificate



133
134
135
136
 
# File 'lib/vault/api/approle.rb', line 133

def delete_role(name)
  client.delete("/v1/auth/approle/role/#{encode_path(name)}")
  return true
end

#role(name) ⇒ Secret?

Gets the AppRole by the given name. If an AppRole does not exist by that name, nil is returned.

Examples:

Vault.approle.role("testrole") #=> #<Vault::Secret lease_id="...">

Returns:



75
76
77
78
79
80
81
 
# File 'lib/vault/api/approle.rb', line 75

def role(name)
  json = client.get("/v1/auth/approle/role/#{encode_path(name)}")
  return Secret.decode(json)
rescue HTTPError => e
  return nil if e.code == 404
  raise
end

#role_id(name) ⇒ Secret?

Reads the RoleID of an existing AppRole. If an AppRole does not exist by that name, nil is returned.

Examples:

Vault.approle.role_id("testrole") #=> #<Vault::Secret lease_id="...">

Returns:



105
106
107
108
109
110
111
 
# File 'lib/vault/api/approle.rb', line 105

def role_id(name)
  json = client.get("/v1/auth/approle/role/#{encode_path(name)}/role-id")
  return Secret.decode(json).data[:role_id]
rescue HTTPError => e
  return nil if e.code == 404
  raise
end

#roles(options = {}) ⇒ Array<String>

Gets the list of AppRoles in vault auth backend.

Examples:

Vault.approle.roles #=> ["testrole"]

Returns:

  • (Array<String>) 


89
90
91
92
93
94
95
96
 
# File 'lib/vault/api/approle.rb', line 89

def roles(options = {})
  headers = extract_headers!(options)
  json = client.list("/v1/auth/approle/role", options, headers)
  return Secret.decode(json).data[:keys] || []
rescue HTTPError => e
  return [] if e.code == 404
  raise
end

#secret_id(role_name, secret_id) ⇒ Secret?

Reads out the properties of a SecretID assigned to an AppRole. If the specified SecretID don’t exist, nil is returned.

Examples:

Vault.approle.role("testrole", "841771dc-11c9-...") #=> #<Vault::Secret lease_id="...">

Parameters:

  • role_name (String)

    The name of the AppRole

  • secret_id (String)

    SecretID belonging to AppRole

Returns:



185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
 
# File 'lib/vault/api/approle.rb', line 185

def secret_id(role_name, secret_id)
  opts = { secret_id: secret_id }
  json = client.post("/v1/auth/approle/role/#{encode_path(role_name)}/secret-id/lookup", JSON.fast_generate(opts), {})
  return nil unless json
  return Secret.decode(json)
rescue HTTPError => e
  if e.code == 404 || e.code == 405
    begin
      json = client.get("/v1/auth/approle/role/#{encode_path(role_name)}/secret-id/#{encode_path(secret_id)}")
      return Secret.decode(json)
    rescue HTTPError => e
      return nil if e.code == 404
      raise e
    end
  end

  raise
end

#secret_id_accessors(role_name, options = {}) ⇒ Array<String>

Lists the accessors of all the SecretIDs issued against the AppRole. This includes the accessors for “custom” SecretIDs as well. If there are no SecretIDs against this role, an empty array will be returned.

Examples:

Vault.approle.secret_ids("testrole") #=> ["ce102d2a-...", "a1c8dee4-..."]

Returns:

  • (Array<String>) 


212
213
214
215
216
217
218
219
 
# File 'lib/vault/api/approle.rb', line 212

def secret_id_accessors(role_name, options = {})
  headers = extract_headers!(options)
  json = client.list("/v1/auth/approle/role/#{encode_path(role_name)}/secret-id", options, headers)
  return Secret.decode(json).data[:keys] || []
rescue HTTPError => e
  return [] if e.code == 404
  raise
end

#set_role(name, options = {}) ⇒ true

Creates a new AppRole or update an existing AppRole with the given name and attributes.

Examples:

Vault.approle.set_role("testrole", {
  secret_id_ttl: "10m",
  token_ttl:     "20m",
  policies:      "default",
  period:        3600,
}) #=> true

Parameters:

  • name (String)

    The name of the AppRole

  • options (Hash) (defaults to: {})

Options Hash (options):

  • :bind_secret_id (Boolean)

    Require secret_id to be presented when logging in using this AppRole.

  • :bound_cidr_list (String)

    Comma-separated list of CIDR blocks. Specifies blocks of IP addresses which can perform the login operation.

  • :policies (String)

    Comma-separated list of policies set on tokens issued via this AppRole.

  • :secret_id_num_uses (String)

    Number of times any particular SecretID can be used to fetch a token from this AppRole, after which the SecretID will expire.

  • :secret_id_ttl (Fixnum, String)

    The number of seconds or a golang-formatted timestamp like “60m” after which any SecretID expires.

  • :token_ttl (Fixnum, String)

    The number of seconds or a golang-formatted timestamp like “60m” to set as the TTL for issued tokens and at renewal time.

  • :token_max_ttl (Fixnum, String)

    The number of seconds or a golang-formatted timestamp like “60m” after which the issued token can no longer be renewed.

  • :period (Fixnum, String)

    The number of seconds or a golang-formatted timestamp like “60m”. If set, the token generated using this AppRole is a periodic token. So long as it is renewed it never expires, but the TTL set on the token at each renewal is fixed to the value specified here. If this value is modified, the token will pick up the new value at its next renewal.

Returns:

  • (true) 


62
63
64
65
66
 
# File 'lib/vault/api/approle.rb', line 62

def set_role(name, options = {})
  headers = extract_headers!(options)
  client.post("/v1/auth/approle/role/#{encode_path(name)}", JSON.fast_generate(options), headers)
  return true
end

#set_role_id(name, role_id) ⇒ true

Updates the RoleID of an existing AppRole to a custom value.

Examples:

Vault.approle.set_role_id("testrole") #=> true

Returns:

  • (true) 


119
120
121
122
123
 
# File 'lib/vault/api/approle.rb', line 119

def set_role_id(name, role_id)
  options = { role_id: role_id }
  client.post("/v1/auth/approle/role/#{encode_path(name)}/role-id", JSON.fast_generate(options))
  return true
end