HashiCorp Vault API client for Python 3.x
Tested against the latest release, HEAD ref, and 3 previous minor versions (counting back from the latest release) of Vault. Current official support covers Vault v1.3.10 or later.
pip install hvac
If you would like to be able to return parsed HCL data as a Python dict for methods that support it:
pip install "hvac[parser]"
Additional documentation for this module available at: hvac.readthedocs.io:
I'm using the hvac package with vault 0.6.1. In my script, I attempt to authenticate against our Vault server with the username/password authentication method:
import hvac
vault_username = "username"
vault_pw = "mypassword"
vault_client.auth_userpass(vault_username, vault_pw)
And I'm getting this error:
$ ./script.py
Traceback (most recent call last):
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/packages/urllib3/connectionpool.py", line 595, in urlopen
chunked=chunked)
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/packages/urllib3/connectionpool.py", line 352, in _make_request
self._validate_conn(conn)
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/packages/urllib3/connectionpool.py", line 831, in _validate_conn
conn.connect()
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/packages/urllib3/connection.py", line 289, in connect
ssl_version=resolved_ssl_version)
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/packages/urllib3/util/ssl_.py", line 308, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/ssl.py", line 377, in wrap_socket
_context=self)
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/ssl.py", line 752, in __init__
self.do_handshake()
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/ssl.py", line 988, in do_handshake
self._sslobj.do_handshake()
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/ssl.py", line 633, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:645)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/adapters.py", line 423, in send
timeout=timeout
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/packages/urllib3/connectionpool.py", line 621, in urlopen
raise SSLError(e)
requests.packages.urllib3.exceptions.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:645)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "./script.py", line 33, in <module>
vault_client.auth_userpass(vault_username, vault_pw)
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/hvac/v1/__init__.py", line 481, in auth_userpass
return self.auth('/v1/auth/{0}/login/{1}'.format(mount_point, username), json=params, use_token=use_token)
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/hvac/v1/__init__.py", line 600, in auth
response = self._post(url, **kwargs).json()
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/hvac/v1/__init__.py", line 643, in _post
return self.__request('post', url, **kwargs)
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/hvac/v1/__init__.py", line 664, in __request
allow_redirects=False, **_kwargs)
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/sessions.py", line 475, in request
resp = self.send(prep, **send_kwargs)
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/sessions.py", line 596, in send
r = adapter.send(request, **kwargs)
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/adapters.py", line 497, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:645)
I thought it might be a TLS negotiation mismatch between my client and our Vault server but we aren't explicitly blocking/denying requests on TLSv1.
Based on the stack trace, it looks like an issue with my Python installation but I'm able to open other SSL sites in my Python environment without any problems:
$ python
Python 3.5.2 (v3.5.2:4def2a2901a5, Jun 26 2016, 10:47:25)
[GCC 4.2.1 (Apple Inc. build 5666) (dot 3)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> requests.get("https://www.howsmyssl.com/a/check")
<Response [200]>
According to the Vault documentation for the iam/ec2 auth endpoints, it works like this:
curl -X POST "http://127.0.0.1:8200/v1/auth/aws/login" -d '{"role":"dev", "iam_http_request_method": "POST", "iam_request_url": "aHR0cHM6Ly9zdHMuYW1hem9uYXdzLmNvbS8=", "iam_request_body": "QWN0aW9uPUdldENhbGxlcklkZW50aXR5JlZlcnNpb249MjAxMS0wNi0xNQ==", "iam_request_headers": "eyJDb250ZW50LUxlbmd0aCI6IFsiNDMiXSwgIlVzZXItQWdlbnQiOiBbImF3cy1zZGstZ28vMS40LjEyIChnbzEuNy4xOyBsaW51eDsgYW1kNjQpIl0sICJYLVZhdWx0LUFXU0lBTS1TZXJ2ZXItSWQiOiBbInZhdWx0LmV4YW1wbGUuY29tIl0sICJYLUFtei1EYXRlIjogWyIyMDE2MDkzMFQwNDMxMjFaIl0sICJDb250ZW50LVR5cGUiOiBbImFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZDsgY2hhcnNldD11dGYtOCJdLCAiQXV0aG9yaXphdGlvbiI6IFsiQVdTNC1ITUFDLVNIQTI1NiBDcmVkZW50aWFsPWZvby8yMDE2MDkzMC91cy1lYXN0LTEvc3RzL2F3czRfcmVxdWVzdCwgU2lnbmVkSGVhZGVycz1jb250ZW50LWxlbmd0aDtjb250ZW50LXR5cGU7aG9zdDt4LWFtei1kYXRlO3gtdmF1bHQtc2VydmVyLCBTaWduYXR1cmU9YTY5ZmQ3NTBhMzQ0NWM0ZTU1M2UxYjNlNzlkM2RhOTBlZWY1NDA0N2YxZWI0ZWZlOGZmYmM5YzQyOGMyNjU1YiJdfQ==" }'
https://www.vaultproject.io/docs/auth/aws.html
After un-base64-ing that, and formatting it to make it somewhat readable, it looks like:
curl -X POST "http://127.0.0.1:8200/v1/auth/aws/login" -d '{"role":"dev", \
"iam_http_request_method": "POST", \
"iam_request_url": "https://sts.amazonaws.com/", \
"iam_request_body": "Action=GetCallerIdentity&Version=2011-06-15", \
"iam_request_headers": "{"Content-Length": ["43"], \
"User-Agent": ["aws-sdk-go/1.4.12 (go1.7.1; linux; amd64)"], \
"X-Vault-AWSIAM-Server-Id": ["vault.example.com"], \
"X-Amz-Date": ["20160930T043121Z"], \
"Content-Type": ["application/x-www-form-urlencoded; charset=utf-8"], \
"Authorization": ["AWS4-HMAC-SHA256 Credential=foo/20160930/us-east-1/sts/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-vault-server, \
Signature=a69fd750a3445c4e553e1b3e79d3da90eef54047f1eb4efe8ffbc9c428c2655b"]}" }'
But I'm looking through the hvac code, and auth_ec2 does none of those things.
In experimenting with it, I'm getting explosions like:
>> client.auth_ec2(requests.get("http://169.254.169.254/latest/dynamic/instance-identity/pkcs7").text)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/opt/ops/venv/local/lib/python2.7/site-packages/hvac/v1/__init__.py", line 562, in auth_ec2
return self.auth('/v1/auth/aws-ec2/login', json=params, use_token=use_token)
File "/opt/ops/venv/local/lib/python2.7/site-packages/hvac/v1/__init__.py", line 787, in auth
response = self._post(url, **kwargs).json()
File "/opt/ops/venv/local/lib/python2.7/site-packages/hvac/v1/__init__.py", line 947, in _post
return self.__request('post', url, **kwargs)
File "/opt/ops/venv/local/lib/python2.7/site-packages/hvac/v1/__init__.py", line 986, in __request
self.__raise_error(response.status_code, text, errors=errors)
File "/opt/ops/venv/local/lib/python2.7/site-packages/hvac/v1/__init__.py", line 992, in __raise_error
raise exceptions.InvalidRequest(message, errors=errors)
hvac.exceptions.InvalidRequest: missing client token
Missing client token is not what it should be responding. But then, hvac doesn't appear to actually be even trying to authenticate properly, so the server appears to be trying to authenticate it with the default (token) auth.
Does this auth_ec2 even work? Or am I missing something very obvious and fundamental?
bugFailing example from the README:
>>> import os, hvac
>>> client = hvac.Client(url='http://localhost:8200', token='foobar')
>>> client.is_authenticated()
True
>>> client.write('secret/foo', baz='bar', lease='1h')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python3.6/site-packages/hvac/v1/__init__.py", line 64, in write
response = self._put('/v1/{0}'.format(path), json=kwargs, wrap_ttl=wrap_ttl)
File "/usr/lib/python3.6/site-packages/hvac/v1/__init__.py", line 1242, in _put
return self.__request('put', url, **kwargs)
File "/usr/lib/python3.6/site-packages/hvac/v1/__init__.py", line 1278, in __request
self.__raise_error(response.status_code, text, errors=errors)
File "/usr/lib/python3.6/site-packages/hvac/v1/__init__.py", line 1290, in __raise_error
raise exceptions.InvalidPath(message, errors=errors)
hvac.exceptions.InvalidPath: {"request_id":"494d7306-ede4-bc4f-47d5-747bff182df3","lease_id":"","renewable":false,"lease_duration":0,"data":null,"wrap_info":null,"warnings":["Invalid path for a versioned K/V secrets engine. See the API docs for the appropriate API endpoints to use. If using the Vault CLI, use 'vault kv put' for this operation."],"auth":null}
>>> print(client.read('secret/foo'))
None
>>>
For reference, here's the cli - correct call (vault kv put/vault kv get) and incorrect call (vault write; produces the same error):
% vault kv put secret/bar baz=qux
Key Value
--- -----
created_time 2018-05-22T11:08:01.003383998Z
deletion_time n/a
destroyed false
version 1
% vault kv get secret/bar
====== Metadata ======
Key Value
--- -----
created_time 2018-05-22T11:08:01.003383998Z
deletion_time n/a
destroyed false
version 1
=== Data ===
Key Value
--- -----
baz qux
% vault write secret/baz qux=quux
Error writing data to secret/baz: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/secret/baz
Code: 404. Errors:
WARNING! The following warnings were returned from Vault:
* Invalid path for a versioned K/V secrets engine. See the API docs for the
appropriate API endpoints to use. If using the Vault CLI, use 'vault kv put'
for this operation.
%
Tested on Linux, using hvac 0.5.0 and python 2.7.15 and 3.6.5.
[Moving this discussion from https://github.com/ianunruh/hvac/pull/155#issuecomment-400119225 into an issue for visibility. cc: @RevolutionTech]
re: https://github.com/ianunruh/hvac/pull/170
Sorry if this is a stupid question, but since the API in https://github.com/ianunruh/hvac/pull/170 now requires an access key ID and a secret access key, is there any way we can use IAM auth without having those at runtime? For the application I work on, we store those credentials in Vault currently.
I realize that we can infer credentials with boto3 using the following code:
import boto3
session = boto3.Session()
credentials = session.get_credentials()
print(credentials.access_key, credentials.secret_key)
but boto3 attempts to collect the access key and secret key from many different locations (such as environment variables, and from ~/.aws/credentials) before it ultimately uses the IAM role, so if we were to rely on this we may not collect the credentials that correspond to the IAM role we want.
Is there some other way to extract an access key and secret key from an IAM role that I'm missing?
I understand that it may be too early to actually drop Python 2 support, because still ~ 40% of downloads come from Python 2 (according to PyPI stats). But it might be a good idea to announce plans in advance and tell users which version of hvac will be the latest with Python 2 support. Does the hvac project have any plan on this matter?
Module for Active directory which will help us to manage AD through automation I will also update hvac/hvac/api/secrets_engines/init.py to support ad.py
skip-changelogI have the following policy:
"paths": {
(...)
"secret/data/foo/bar/*": {
"allowed_parameters": {
"x": [],
"y": [],
"z": []
},
"capabilities": [
"create",
"read",
"update",
"delete",
"list"
],
(...)
}
The following works fine: vault write secret/data/foo/bar/baz x=1 y=2 z=3.
However, using the same exact token in hvac:
>>> client.secrets.kv.v2.create_or_update_secret('foo/bar/baz', secret = {'x': '1', 'y': '2', 'z': '3'})
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/[REDACTED]/.local/lib/python3.7/site-packages/hvac/api/secrets_engines/kv_v2.py", line 122, in create_or_update_secret
json=params,
File "/home/[REDACTED]/.local/lib/python3.7/site-packages/hvac/adapters.py", line 106, in post
return self.request('post', url, **kwargs)
File "/home/[REDACTED]/.local/lib/python3.7/site-packages/hvac/adapters.py", line 276, in request
utils.raise_for_error(response.status_code, text, errors=errors)
File "/home/[REDACTED]/.local/lib/python3.7/site-packages/hvac/utils.py", line 33, in raise_for_error
raise exceptions.Forbidden(message, errors=errors)
hvac.exceptions.Forbidden: 1 error occurred:
* permission denied
I did a tcpdump (since it was to an HTTP Vault server on localhost), and found that the Vault CLI client does e.g. (real values have been replaced):
PUT /v1/secret/data/foo/bar/baz HTTP/1.1
Host: 127.0.0.1:8200
User-Agent: Go-http-client/1.1
Content-Length: [REDACTED FOR DEMO]
X-Vault-Token: [REDACTED FOR DEMO]
Accept-Encoding: gzip
{"x":"1","y":"2","z":"3"}
BUT the client.secrets.kv.v2.create_or_update_secret call does e.g. this (actual values replaced):
POST /v1/secret/data/foo/bar/baz HTTP/1.1
Host: localhost:8200
User-Agent: python-requests/2.21.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
X-Vault-Token: [REDACTED FOR DEMO]
Content-Length: [REDACTED FOR DEMO]
Content-Type: application/json
{"options": {}, "data": {"x": "1", "y": "2", "z": "3"}}
Notable differences are a POST vs. PUT, and the structure of the payload.
For whatever reason, this causes a permission denied error (403) for hvac, but the vault client succeeds.
At a guess, maybe the docs are wrong? As the Vault client does not seem to conform to the docs (but hvac does).
Are you able to replicate?
bug kvThis is another big PR so apologies in advance. This PR fixes issue #525 and arises from the discussion therein.
This PR does one thing: create a new JSONAdapter and makes it the default. The "JSON adapter" works just like the previous "Request" adapter except the return value uses the following logic:
if response.status_code == 200:
try:
return response.json()
except ValueError:
pass
return response
The net result is that all client functions now have consistent logic regarding what they return. As a result, all instances of the following client logic have been removed:
return response.json()
and
if response.status_code == 204:
return response
else:
return response.json()
This will likely cause some breaking changes for some users, especially with regards to the direct client.[read,list,write,delete] methods as they will no longer throw a ValueError from assuming the response always contains a JSON body.
This builds on #739 and closes #582.
I think besides dropping Python 2 support, Python 3.6 and older should be dropped as well as they are EOL. This library should track with Python version support.
Same TODO as mentioned in #739
https://github.com/hvac/hvac/blob/master/hvac/v1/init.py#L687
The latest version of vault does not seem to return the same json.
There seems to be a similar change with list_auth_backends but that doesn't throw an exception. I'll submit something if I'm not missing something.
I am getting hvac.exceptions.InvalidPath: no handler for route 'secret/data/kv' error while trying to read KV 2 via hvac.
does anyone run into the same problem?
hvac==0.9.2
vault 1.1.2
CentOS 7.6
cluster_name = "dc1" max_lease_ttl = "768h" default_lease_ttl = "768h"
disable_clustering = "False" cluster_addr = "http://127.0.0.1:8201" api_addr = "http://127.0.0.1:8200"
plugin_directory = "/usr/local/lib/vault/plugins"
listener "tcp" { address = "127.0.0.1:8200" cluster_address = "127.0.0.1:8201" tls_disable = "true" }
storage "file" { path = "/var/vault" }ui = true
#!/usr/bin/python
import hvac
client = hvac.Client(url='http://127.0.0.1:8200', token='
print client.is_authenticated()
secret_version_response = client.secrets.kv.v2.read_secret_version( path='kv', )
True
Traceback (most recent call last):
File "./p1.py", line 10, in
I get the following error when I try to get credentials from an sts endpoint. Below is the error.
Response { "errorMessage": "Error assuming role: InvalidParameter: 1 validation error(s) found.\n- minimum field value of 900, AssumeRoleInput.DurationSeconds.\n, on put https://vault.endpoint.com/v1/aws/sts/vault-policy", "errorType": "InvalidRequest", "stackTrace": [ " File "/var/task/lambda_function.py", line 54, in lambda_handler\n print(hvac.api.secrets_engines.Aws.generate_credentials(client, 'lambda_china_staging', role_arn='arn:aws:iam::1234567890:role/VaultAssumeRoleDummy', endpoint='sts', ttl='3600s'))\n", " File "/var/task/hvac/api/secrets_engines/aws.py", line 397, in generate_credentials\n params=params,\n", " File "/var/task/hvac/adapters.py", line 139, in put\n return self.request("put", url, **kwargs)\n", " File "/var/task/hvac/adapters.py", line 369, in request\n response = super().request(*args, **kwargs)\n", " File "/var/task/hvac/adapters.py", line 336, in request\n method, url, response.status_code, text, errors=errors\n", " File "/var/task/hvac/utils.py", line 36, in raise_for_error\n raise exceptions.InvalidRequest(message, errors=errors, method=method, url=url)\n" ] } Request: hvac.api.secrets_engines.Aws.generate_credentials(client, 'lambda_china_staging', role_arn='arn:aws:iam::1234567890:role/VaultAssumeRoleDummy', endpoint='sts', ttl='3600s')
I'm building a AWS Lambda Layer to share between my lambdas. To create the lambda layer package and upload to my S3 bucket I'm using the following script:
#!/usr/bin/env bash
bucket_name="$1"
lambda_layer_package="$2"
python3 -m venv python
. './python/bin/activate'
python3 -m pip install \
-r 'requirements.txt' \
--trusted-host 'artifactory.myhost.com' \
--proxy 'http://myproxy.myhost.com:3128' \
--index-url 'https://artifactory.myhost.com/artifactory/api/pypi/pypi.org/simple'
deactivate
rm -rf './python/bin'
rm -rf './python/include'
rm -rf './python/pyvenv.cfg'
zip -r "${lambda_layer_package}" './python' &>/dev/null
aws s3 cp \
"${lambda_layer_package}" \
"s3://${bucket_name}/lambda_layers/${lambda_layer_package}" \
--acl 'private'
I have another lambda layer that uses this same script to create a layer with boto3, jinja2 and requests and everything works fine, but when I add hvac in my requirements.txt i get the error below:
Looking in indexes: https://artifactory.myhost.com/artifactory/api/pypi/pypi.org/simple
Collecting boto3
Downloading https://artifactory.myhost.com/artifactory/api/pypi/pypi.org/packages/packages/27/8e/ebd5c9bff881ba6bbc7d9a6e00766f6052a9b8579cc19a7ddafedc1500b9/boto3-1.26.38-py3-none-any.whl (132 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 132.7/132.7 KB 5.5 MB/s eta 0:00:00
Collecting hvac
Downloading https://artifactory.myhost.com/artifactory/api/pypi/pypi.org/packages/packages/8d/43/6532046afa7b20c352d2a8b68de1d1fd350104024edfb00bf486801712af/hvac-1.0.2-py3-none-any.whl (143 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 143.5/143.5 KB 9.8 MB/s eta 0:00:00
Collecting jmespath<2.0.0,>=0.7.1
Downloading https://artifactory.myhost.com/artifactory/api/pypi/pypi.org/packages/packages/31/b4/b9b800c45527aadd64d5b442f9b932b00648617eb5d63d2c7a6587b7cafc/jmespath-1.0.1-py3-none-any.whl (20 kB)
Collecting botocore<1.30.0,>=1.29.38
Downloading https://artifactory.myhost.com/artifactory/api/pypi/pypi.org/packages/packages/5e/35/c0660215b73e23e7edc84002d5c12a23208c5d4dcee9248d4b4d1a313860/botocore-1.29.38-py3-none-any.whl (10.3 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 10.3/10.3 MB 46.6 MB/s eta 0:00:00
Collecting s3transfer<0.7.0,>=0.6.0
Downloading https://artifactory.myhost.com/artifactory/api/pypi/pypi.org/packages/packages/5e/c6/af903b5fab3f9b5b1e883f49a770066314c6dcceb589cf938d48c89556c1/s3transfer-0.6.0-py3-none-any.whl (79 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 79.6/79.6 KB 1.6 MB/s eta 0:00:00
Collecting pyhcl<0.5.0,>=0.4.4
Downloading https://artifactory.myhost.com/artifactory/api/pypi/pypi.org/packages/packages/91/b0/dd4f1d01b77be3b66d9f550ed958b68fa553764be1d27c7d604906c06b42/pyhcl-0.4.4.tar.gz (61 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 61.1/61.1 KB 3.9 MB/s eta 0:00:00
Installing build dependencies: started
Installing build dependencies: still running...
Installing build dependencies: still running...
Installing build dependencies: still running...
Installing build dependencies: finished with status 'error'
error: subprocess-exited-with-error
× pip subprocess to install build dependencies did not run successfully.
│ exit code: 1
╰─> [8 lines of output]
Looking in indexes: https://artifactory.myhost.com/artifactory/api/pypi/pypi.org/simple
WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'ConnectTimeoutError(<pip._vendor.urllib3.connection.HTTPSConnection object at 0x7f7724a00220>, 'Connection to artifactory.myhost.com timed out. (connect timeout=15)')': /artifactory/api/pypi/pypi.org/simple/setuptools/
WARNING: Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'ConnectTimeoutError(<pip._vendor.urllib3.connection.HTTPSConnection object at 0x7f772426bd60>, 'Connection to artifactory.myhost.com timed out. (connect timeout=15)')': /artifactory/api/pypi/pypi.org/simple/setuptools/
WARNING: Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'ConnectTimeoutError(<pip._vendor.urllib3.connection.HTTPSConnection object at 0x7f772426b1f0>, 'Connection to artifactory.myhost.com timed out. (connect timeout=15)')': /artifactory/api/pypi/pypi.org/simple/setuptools/
WARNING: Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'ConnectTimeoutError(<pip._vendor.urllib3.connection.HTTPSConnection object at 0x7f772426b610>, 'Connection to artifactory.myhost.com timed out. (connect timeout=15)')': /artifactory/api/pypi/pypi.org/simple/setuptools/
WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'ConnectTimeoutError(<pip._vendor.urllib3.connection.HTTPSConnection object at 0x7f7723c26c10>, 'Connection to artifactory.myhost.com timed out. (connect timeout=15)')': /artifactory/api/pypi/pypi.org/simple/setuptools/
ERROR: Could not find a version that satisfies the requirement setuptools (from versions: none)
ERROR: No matching distribution found for setuptools
[end of output]
note: This error originates from a subprocess, and is likely not a problem with pip.
error: subprocess-exited-with-error
× pip subprocess to install build dependencies did not run successfully.
│ exit code: 1
╰─> See above for output.
note: This error originates from a subprocess, and is likely not a problem with pip.
If I look into my artifactory repository, accessing the path https://artifactory.myhost.com/artifactory/api/pypi/pypi.org/simple/setuptools/, setuptools exists from the oldest version to the recent 65.6.3.
When listing namespaces the API throws an exception if no namespaces are found.
Example Code:
try:
ns_client = hvac.Client(url="https://vault.company.org", namespace="some_namespace", token="some_token")
sub_namespaces = ns_client.sys.list_namespaces()
except Exception as e:
import traceback
logging.error(f"Err: {e}")
print(traceback.format_exc())
yields:
2022-12-20 14:17:18,461 - DEBUG - https://vault.company.org:443 "LIST /v1/sys/namespaces HTTP/1.1" 404 14
2022-12-20 14:17:18,462 - ERROR - Err: None, on list https://vault.company.org/v1/sys/namespaces
Traceback (most recent call last):
File "C:\Path\to\Project\sync_vault_config.py", line 56, in get_namespaces
sub_namespaces = ns_client.sys.list_namespaces()
File "C:\Path\to\Project\venv\lib\site-packages\hvac\api\system_backend\namespace.py", line 30, in list_namespaces
return self._adapter.list(
File "C:\Path\to\Project\venv\lib\site-packages\hvac\adapters.py", line 164, in list
return self.request("list", url, **kwargs)
File "C:\Path\to\Project\venv\lib\site-packages\hvac\adapters.py", line 356, in request
response = super().request(*args, **kwargs)
File "C:\Path\to\Project\venv\lib\site-packages\hvac\adapters.py", line 322, in request
utils.raise_for_error(
File "C:\Path\to\Project\venv\lib\site-packages\hvac\utils.py", line 42, in raise_for_error
raise exceptions.InvalidPath(message, errors=errors, method=method, url=url)
hvac.exceptions.InvalidPath: None, on list https://vault.company.org/v1/sys/namespaces
The API works as intended as long as namespaces are found, the error only occurs when the API yields a 404. When looking into the Vault CLI / UI they simply show an empty list / nothing.
Maybe hvac could return either None or [] in case of non-existing namespaces?
Drops 3.6 from CI as it is not supported by the latest os images. Since 3.6 will soon be dropped, now is as good of a time as any to update the jobs.
Signed-off-by: Colin McAllister [email protected]
CI/CDThe patch function in hvac requires the get role capability in associated policy to run successfully, which shouldn't be the case. The patch capability should be enough to run the patch function(vault kv patch works as expected with the patch capability role).
Screenshot of the error:
role_name parameter to auth.token.create_orphan. GH-891Breakfix release to revert some unintended post-1.0 requirements changes.
six & requests Requirements Changes . GH-768Note: This is actually and truly (😝) intended to by the last hvac release supporting Python 2.7.
Starting with hvac version 1.0.0, Python versions >=3.6 will be the only explictly supported versions.
Requirements - Cleanup & Upgrades (install_requires => requests>=2.25.1 ). GH-741
use_token param. GH-746cert Parameter From Client into Adapter Class. GH-743verify Behavior . GH-745Thanks to @Tylerlhess, @anhdat, @ayav09, @bobmshannon, @bpatterson971, @briantist, @cmanfre4, @jeffwecan, Chris Manfre and tyhess for their lovely contributions..
Source code(tar.gz)Note: This is intended to by the last hvac release supporting Python 2.7.
Starting with hvac version 1.0.0, Python versions >=3.6 will be the only explicitly supported versions.
Userpass: Add use_token param on login(), Accept passthrough **kwargs on create user . GH-733
create_or_update_user(). GH-714token_ttl & token_max_ttl Arguments to ldap.configure(). GH-707Client() k8s methods. GH-732Client() approle methods. GH-731Client() Methods. GH-730python_requires='>=2.7' to setuptools Metadata. GH-727black Formatting + Updated PR Actions Workflow. GH-726Thanks to @el-deano, @intgr, @jeffwecan, @pjaudiomv, @tp6783 and tyhess for their lovely contributions.
Source code(tar.gz)Cert.login(). GH-712Cert.login() Conditional for Python 2.7 Syntax Support. GH-708Thanks to @jeffwecan for their lovely contributions.
Source code(tar.gz)group_type argument in update_group and create_or_update_group_by_name. GH-703Thanks to @Tylerlhess, @jeffwecan, @matusf, @mblau-leaffilter and tyhess for their lovely contributions.
Source code(tar.gz)delete_version_after KvV2 Param - configure() / `update_metadata(). GH-694Thanks to @jeffwecan for their lovely contributions.
Source code(tar.gz)policies Parameter to Userpass create_or_update_user() Method. GH-562read_secret() Method for KVv2 Class. GH-686Thanks to @jeffwecan, @mblau-leaffilter, @nicholaswold, @sshishov, @tirkarthi, @tomwerneruk and @vamshideveloper for their lovely contributions.
Source code(tar.gz)Thanks to @JPoser, @fhemberger, @jeffwecan, @lperdereau and jposer for their lovely contributions.
Source code(tar.gz)Thanks to @blag, @devlounge, @jeffwecan and @jonZlotnik for their lovely contributions.
Source code(tar.gz)Thanks to @jeffwecan, @krish7919 and Krish for their lovely contributions.
Source code(tar.gz)Thanks to @Angeall, @JJCella, @briantist, @derBroBro, @discogestalt, @dogfish182, @el-deano, @ghTravis, @godara01, @jeffwecan, @leongyh, @phickey, @tienthanh2509, @tmcolby and @trixpan for their lovely contributions.
Source code(tar.gz)Thanks to @akdor1154, @jeffwecan, @ns-jshilkaitis and @trishankatdatadog for their lovely contributions.
Source code(tar.gz)Thanks to @jeffwecan, @jm96441n and @pnijhara for their lovely contributions.
Source code(tar.gz)Thanks to @finarfin and @jeffwecan for their lovely contributions.
Source code(tar.gz)Thanks to @TerryHowe, @and-semakin, @jeffwecan, @jschlyter, @jzck, @mdelaney and @scarabeusiv for their lovely contributions.
Source code(tar.gz)Note: GH-537 changes some methods' return types from None to a request.Response
instance. For instance the client.secrets.identity.lookup_entity now returns a Response[204] (truthy) value instead of
None (falsy) when the lookup returns no results.
This change was made to simplify maintenance of response parsing within the hvac code base.
Thanks to @jeffwecan, @llamasoft and @msuszko for their lovely contributions.
Source code(tar.gz)Note: GH-533 includes fundamental behavior involving sending parameters to API requests to Vault. Many hvac method parameters that would have been sent with default arguments no longer are included in requests to Vault. Notably, the following behavioral changes should be expected (copied from the related PR comments):
Azure:
create_role parameter policies now accepts CSV string or list of stringsDatabase:
create_role documentation updated to something meaningful 🙃GCP:
configure parameter google_certs_endpoint is deprecatedcreate_role parameter project_id is deprecated by bound_projects (list)GitHub:
configure is missing a lot of parametersLDAP:
configure parameters user_dn and group_dn made optional
hvac/constants/ldap.py file removed as it is no longer usedMFA:
Okta:
configure parameter base_url default value now differs from API documentation
register_user, read_user, and delete_user duplicate URL parameter username in JSON payload
delete_group, but register_group and list_group correctly omit itPKI:
sign_data and verify_signed_data optional parameter marshaling_algorithm addedRADIUS:
configure is missing a lot of parametersregister_user attempted to convert username string into a CSV list (?!) for POST data
username is extracted from URL path in Vault serverregister_user parameter policies never actually passed as parameterSystem Backend:
enable_auth_method parameter plugin_name is deprecatedenable_audit_device optional parameter local was addedinitialize provides default for required API parameters secret_shares and secret_thresholdstart_root_token_generation parameter otp is deprecatedMisc:
**kwargs (e.g. hvac/api/system_backend/auth.py)*args and **kwargs (e.g. hvac/api/secrets_engines/active_directory.py)hvac/api/secrets_engines/pki.py uses extra_params={}hvac/api/auth_methods/ldap.py configure uses user_dn instead of userdnhvac/api/system_backend/auth.py configure uses method_type instead of typettl, max_ttl, policies, period, num_uses and a few other fields are deprecated as of Vault version 1.2.0
Thanks to @findmyname666, @llamasoft, @moisesguimaraes, @philherbert and Adrian Eib for their lovely contributions.
Source code(tar.gz)Thanks to @DaveDeCaprio, @Dowwie, @drewmullen, @jeffwecan, @llamasoft and @vamshideveloper for their lovely contributions.
Source code(tar.gz)Thanks to @jeffwecan and @vamshideveloper for their lovely contributions.
Source code(tar.gz)Thanks to @Tylerlhess, @drewmullen and @jeffwecan for their lovely contributions.
Source code(tar.gz)generate_credentials request method to GET. GH-475Thanks to @donjar, @fhemberger, @jeffwecan, @stevefranks and @stevenmanton for their lovely contributions.
Source code(tar.gz)BUG FIXES:
IMPROVEMENTS:
enable_auth_method(), tune_auth_method(), enable_secrets_engine(), tune_mount_configuration() system backend method now take arbitrary **kwargs parameters to provide greater support for variations in accepted parameters in the underlying Vault plugins.num_uses, change bound_location -> bound_locations and bound_resource_group_names -> bound_resource_groups. GH-452MISCELLANEOUS:
Thanks to @denisvll, @Dudesons, and @drewmullen for their lovely contributions.
Source code(tar.gz)BUG FIXES:
IMPROVEMENTS:
MISCELLANEOUS:
delete_roleset() method added to GCP secrets engine support. GH-449Thanks to @nledez and @drewmullen for their lovely contributions.
Source code(tar.gz)BUG FIXES:
IMPROVEMENTS:
MISCELLANEOUS:
Thanks to @paulcaskey, @stevenmanton, @brad-alexander, @yoyomeng2, @JadeHayes, @Dudesons for their lovely contributions.
Source code(tar.gz)BUG FIXES:
Thanks to @eltoder and @andytumelty for their lovely contributions.
Source code(tar.gz)BUG FIXES:
initialize() method recovery_shares and recovery_threshold parameter validation regression. GH-416
WallAlley.bot About WallAlley.bot is an open source and free to use financial discord bot originaly build for WallAlley server's community. All data a
Messenger This is a small messenger with the cmd as an interface. It started as a project to learn more about Python 3. If you want to run a version o
NekoRobot A modular telegram Python bot running on python3 with an sqlalchemy, mongodb database. ╒═══「 Status 」 Maintained Support Group Included Free
for support join here working example group Leech Here For Any Issues/Imrovements or Discussions go here or here Please Leave A star And Fork this Rep
The Main Pythonic Version Of Twig Using Nextcord
Novus A modern, easy to use, feature-rich, and async ready API wrapper for Discord written in Python. A full fork of Rapptz's Discord.py library, with
Project Setup Follow the steps below to set up the project on your environment. Mac Setup Homebrew requires the Xcode command-line tools from Apple's
DeepL DeepL Free API Notice Since I don't want to make my AuthKey public, if you
Discord Token Creator A discord token creator that uses the service capmonster for captcha solving! Report Bug · Request Feature Features Autojoin dis
Online Marketplace API Table of Contents Setup Instructions Documentation Setup instructions Make sure you have python installed Clone the repository
Roblox-Nuker A nuker for Roblox accounts. Made by Ice Bear#0167 Usage I would recommend running in replit (https://replit.com) as it is deprecated in
Python bindings for swm-core client REST API Description Sky Port is an universal bus between user software and compute resources. It can also be cons
Crypto Trading Simulator Run streamlit run main.py Dependency Python 3 streamli
um simples script para localizar IP pkg install git (apt-get install git) pkg install python (apt-get install python) git clone https://github.com/byd
ཧᜰ꙰ꦿ➢𝐎𝐀𝐍༒☛ 🎧 Advanced 𝐎𝐀𝐍 Music bot. 🔗 𝐏𝐨𝐰𝐞𝐫𝐞𝐝 𝐛𝐲 : ➢𝐀ttitude
Anyone's Fortnite Save the World Profile Dumper This program allows you to dump anyone's Fortnite Save the World Profiles. How to use it? After starti
Discord-Call-Crasher The Fasted Proxyless Multi-Threaded Discord Call Crasher (Created By Jonah) Requirements / Setting up There will be a few things
Python horoscope The program allows you to get a horoscope for your zodiac sign and immediately translate it into almost any language. Step 1 The firs
Catppuccin Wallpapers I was in need of wallpapers conforming to the catppuccin colorscheme. So, I wrote a simple script to iteratively generate a set
ZeusMusic Requirements 📝 FFmpeg NodeJS nodesource.com Python 3.7 or higher PyTgCalls MongoDB 2nd Telegram Account (needed for userbot) 🧪 Get SESSION
1 Jan 22, 2022
1 Feb 24, 2022
11 Oct 11, 2022
202 Dec 26, 2022
8 Mar 21, 2022
60 Jan 03, 2023
18 Jul 15, 2022
4 Apr 11, 2022
41 Oct 25, 2021
3 Jul 13, 2022
7 May 10, 2022
1 Jan 01, 2022
12 Jul 02, 2022
4 Nov 29, 2021
5 Feb 25, 2022
6 Apr 13, 2022
10 Jun 17, 2022
0 Dec 25, 2021
11 Nov 29, 2022
4 Jan 03, 2022