HashiCorp Vault API client for Python 3.x
Tested against the latest release, HEAD ref, and 3 previous minor versions (counting back from the latest release) of Vault. Current official support covers Vault v1.3.10 or later.
pip install hvac
If you would like to be able to return parsed HCL data as a Python dict for methods that support it:
pip install "hvac[parser]"
Additional documentation for this module available at: hvac.readthedocs.io:
I'm using the hvac package with vault 0.6.1. In my script, I attempt to authenticate against our Vault server with the username/password authentication method:
import hvac
vault_username = "username"
vault_pw = "mypassword"
vault_client.auth_userpass(vault_username, vault_pw)
And I'm getting this error:
$ ./script.py
Traceback (most recent call last):
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/packages/urllib3/connectionpool.py", line 595, in urlopen
chunked=chunked)
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/packages/urllib3/connectionpool.py", line 352, in _make_request
self._validate_conn(conn)
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/packages/urllib3/connectionpool.py", line 831, in _validate_conn
conn.connect()
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/packages/urllib3/connection.py", line 289, in connect
ssl_version=resolved_ssl_version)
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/packages/urllib3/util/ssl_.py", line 308, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/ssl.py", line 377, in wrap_socket
_context=self)
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/ssl.py", line 752, in __init__
self.do_handshake()
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/ssl.py", line 988, in do_handshake
self._sslobj.do_handshake()
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/ssl.py", line 633, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:645)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/adapters.py", line 423, in send
timeout=timeout
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/packages/urllib3/connectionpool.py", line 621, in urlopen
raise SSLError(e)
requests.packages.urllib3.exceptions.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:645)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "./script.py", line 33, in <module>
vault_client.auth_userpass(vault_username, vault_pw)
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/hvac/v1/__init__.py", line 481, in auth_userpass
return self.auth('/v1/auth/{0}/login/{1}'.format(mount_point, username), json=params, use_token=use_token)
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/hvac/v1/__init__.py", line 600, in auth
response = self._post(url, **kwargs).json()
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/hvac/v1/__init__.py", line 643, in _post
return self.__request('post', url, **kwargs)
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/hvac/v1/__init__.py", line 664, in __request
allow_redirects=False, **_kwargs)
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/sessions.py", line 475, in request
resp = self.send(prep, **send_kwargs)
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/sessions.py", line 596, in send
r = adapter.send(request, **kwargs)
File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/adapters.py", line 497, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:645)
I thought it might be a TLS negotiation mismatch between my client and our Vault server but we aren't explicitly blocking/denying requests on TLSv1.
Based on the stack trace, it looks like an issue with my Python installation but I'm able to open other SSL sites in my Python environment without any problems:
$ python
Python 3.5.2 (v3.5.2:4def2a2901a5, Jun 26 2016, 10:47:25)
[GCC 4.2.1 (Apple Inc. build 5666) (dot 3)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> requests.get("https://www.howsmyssl.com/a/check")
<Response [200]>
According to the Vault documentation for the iam/ec2 auth endpoints, it works like this:
curl -X POST "http://127.0.0.1:8200/v1/auth/aws/login" -d '{"role":"dev", "iam_http_request_method": "POST", "iam_request_url": "aHR0cHM6Ly9zdHMuYW1hem9uYXdzLmNvbS8=", "iam_request_body": "QWN0aW9uPUdldENhbGxlcklkZW50aXR5JlZlcnNpb249MjAxMS0wNi0xNQ==", "iam_request_headers": "eyJDb250ZW50LUxlbmd0aCI6IFsiNDMiXSwgIlVzZXItQWdlbnQiOiBbImF3cy1zZGstZ28vMS40LjEyIChnbzEuNy4xOyBsaW51eDsgYW1kNjQpIl0sICJYLVZhdWx0LUFXU0lBTS1TZXJ2ZXItSWQiOiBbInZhdWx0LmV4YW1wbGUuY29tIl0sICJYLUFtei1EYXRlIjogWyIyMDE2MDkzMFQwNDMxMjFaIl0sICJDb250ZW50LVR5cGUiOiBbImFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZDsgY2hhcnNldD11dGYtOCJdLCAiQXV0aG9yaXphdGlvbiI6IFsiQVdTNC1ITUFDLVNIQTI1NiBDcmVkZW50aWFsPWZvby8yMDE2MDkzMC91cy1lYXN0LTEvc3RzL2F3czRfcmVxdWVzdCwgU2lnbmVkSGVhZGVycz1jb250ZW50LWxlbmd0aDtjb250ZW50LXR5cGU7aG9zdDt4LWFtei1kYXRlO3gtdmF1bHQtc2VydmVyLCBTaWduYXR1cmU9YTY5ZmQ3NTBhMzQ0NWM0ZTU1M2UxYjNlNzlkM2RhOTBlZWY1NDA0N2YxZWI0ZWZlOGZmYmM5YzQyOGMyNjU1YiJdfQ==" }'
https://www.vaultproject.io/docs/auth/aws.html
After un-base64-ing that, and formatting it to make it somewhat readable, it looks like:
curl -X POST "http://127.0.0.1:8200/v1/auth/aws/login" -d '{"role":"dev", \
"iam_http_request_method": "POST", \
"iam_request_url": "https://sts.amazonaws.com/", \
"iam_request_body": "Action=GetCallerIdentity&Version=2011-06-15", \
"iam_request_headers": "{"Content-Length": ["43"], \
"User-Agent": ["aws-sdk-go/1.4.12 (go1.7.1; linux; amd64)"], \
"X-Vault-AWSIAM-Server-Id": ["vault.example.com"], \
"X-Amz-Date": ["20160930T043121Z"], \
"Content-Type": ["application/x-www-form-urlencoded; charset=utf-8"], \
"Authorization": ["AWS4-HMAC-SHA256 Credential=foo/20160930/us-east-1/sts/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-vault-server, \
Signature=a69fd750a3445c4e553e1b3e79d3da90eef54047f1eb4efe8ffbc9c428c2655b"]}" }'
But I'm looking through the hvac code, and auth_ec2 does none of those things.
In experimenting with it, I'm getting explosions like:
>> client.auth_ec2(requests.get("http://169.254.169.254/latest/dynamic/instance-identity/pkcs7").text)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/opt/ops/venv/local/lib/python2.7/site-packages/hvac/v1/__init__.py", line 562, in auth_ec2
return self.auth('/v1/auth/aws-ec2/login', json=params, use_token=use_token)
File "/opt/ops/venv/local/lib/python2.7/site-packages/hvac/v1/__init__.py", line 787, in auth
response = self._post(url, **kwargs).json()
File "/opt/ops/venv/local/lib/python2.7/site-packages/hvac/v1/__init__.py", line 947, in _post
return self.__request('post', url, **kwargs)
File "/opt/ops/venv/local/lib/python2.7/site-packages/hvac/v1/__init__.py", line 986, in __request
self.__raise_error(response.status_code, text, errors=errors)
File "/opt/ops/venv/local/lib/python2.7/site-packages/hvac/v1/__init__.py", line 992, in __raise_error
raise exceptions.InvalidRequest(message, errors=errors)
hvac.exceptions.InvalidRequest: missing client token
Missing client token is not what it should be responding. But then, hvac doesn't appear to actually be even trying to authenticate properly, so the server appears to be trying to authenticate it with the default (token) auth.
Does this auth_ec2 even work? Or am I missing something very obvious and fundamental?
bugFailing example from the README:
>>> import os, hvac
>>> client = hvac.Client(url='http://localhost:8200', token='foobar')
>>> client.is_authenticated()
True
>>> client.write('secret/foo', baz='bar', lease='1h')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python3.6/site-packages/hvac/v1/__init__.py", line 64, in write
response = self._put('/v1/{0}'.format(path), json=kwargs, wrap_ttl=wrap_ttl)
File "/usr/lib/python3.6/site-packages/hvac/v1/__init__.py", line 1242, in _put
return self.__request('put', url, **kwargs)
File "/usr/lib/python3.6/site-packages/hvac/v1/__init__.py", line 1278, in __request
self.__raise_error(response.status_code, text, errors=errors)
File "/usr/lib/python3.6/site-packages/hvac/v1/__init__.py", line 1290, in __raise_error
raise exceptions.InvalidPath(message, errors=errors)
hvac.exceptions.InvalidPath: {"request_id":"494d7306-ede4-bc4f-47d5-747bff182df3","lease_id":"","renewable":false,"lease_duration":0,"data":null,"wrap_info":null,"warnings":["Invalid path for a versioned K/V secrets engine. See the API docs for the appropriate API endpoints to use. If using the Vault CLI, use 'vault kv put' for this operation."],"auth":null}
>>> print(client.read('secret/foo'))
None
>>>
For reference, here's the cli - correct call (vault kv put/vault kv get) and incorrect call (vault write; produces the same error):
% vault kv put secret/bar baz=qux
Key Value
--- -----
created_time 2018-05-22T11:08:01.003383998Z
deletion_time n/a
destroyed false
version 1
% vault kv get secret/bar
====== Metadata ======
Key Value
--- -----
created_time 2018-05-22T11:08:01.003383998Z
deletion_time n/a
destroyed false
version 1
=== Data ===
Key Value
--- -----
baz qux
% vault write secret/baz qux=quux
Error writing data to secret/baz: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/secret/baz
Code: 404. Errors:
WARNING! The following warnings were returned from Vault:
* Invalid path for a versioned K/V secrets engine. See the API docs for the
appropriate API endpoints to use. If using the Vault CLI, use 'vault kv put'
for this operation.
%
Tested on Linux, using hvac 0.5.0 and python 2.7.15 and 3.6.5.
[Moving this discussion from https://github.com/ianunruh/hvac/pull/155#issuecomment-400119225 into an issue for visibility. cc: @RevolutionTech]
re: https://github.com/ianunruh/hvac/pull/170
Sorry if this is a stupid question, but since the API in https://github.com/ianunruh/hvac/pull/170 now requires an access key ID and a secret access key, is there any way we can use IAM auth without having those at runtime? For the application I work on, we store those credentials in Vault currently.
I realize that we can infer credentials with boto3 using the following code:
import boto3
session = boto3.Session()
credentials = session.get_credentials()
print(credentials.access_key, credentials.secret_key)
but boto3 attempts to collect the access key and secret key from many different locations (such as environment variables, and from ~/.aws/credentials) before it ultimately uses the IAM role, so if we were to rely on this we may not collect the credentials that correspond to the IAM role we want.
Is there some other way to extract an access key and secret key from an IAM role that I'm missing?
I understand that it may be too early to actually drop Python 2 support, because still ~ 40% of downloads come from Python 2 (according to PyPI stats). But it might be a good idea to announce plans in advance and tell users which version of hvac will be the latest with Python 2 support. Does the hvac project have any plan on this matter?
Module for Active directory which will help us to manage AD through automation I will also update hvac/hvac/api/secrets_engines/init.py to support ad.py
skip-changelogI have the following policy:
"paths": {
(...)
"secret/data/foo/bar/*": {
"allowed_parameters": {
"x": [],
"y": [],
"z": []
},
"capabilities": [
"create",
"read",
"update",
"delete",
"list"
],
(...)
}
The following works fine: vault write secret/data/foo/bar/baz x=1 y=2 z=3.
However, using the same exact token in hvac:
>>> client.secrets.kv.v2.create_or_update_secret('foo/bar/baz', secret = {'x': '1', 'y': '2', 'z': '3'})
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/[REDACTED]/.local/lib/python3.7/site-packages/hvac/api/secrets_engines/kv_v2.py", line 122, in create_or_update_secret
json=params,
File "/home/[REDACTED]/.local/lib/python3.7/site-packages/hvac/adapters.py", line 106, in post
return self.request('post', url, **kwargs)
File "/home/[REDACTED]/.local/lib/python3.7/site-packages/hvac/adapters.py", line 276, in request
utils.raise_for_error(response.status_code, text, errors=errors)
File "/home/[REDACTED]/.local/lib/python3.7/site-packages/hvac/utils.py", line 33, in raise_for_error
raise exceptions.Forbidden(message, errors=errors)
hvac.exceptions.Forbidden: 1 error occurred:
* permission denied
I did a tcpdump (since it was to an HTTP Vault server on localhost), and found that the Vault CLI client does e.g. (real values have been replaced):
PUT /v1/secret/data/foo/bar/baz HTTP/1.1
Host: 127.0.0.1:8200
User-Agent: Go-http-client/1.1
Content-Length: [REDACTED FOR DEMO]
X-Vault-Token: [REDACTED FOR DEMO]
Accept-Encoding: gzip
{"x":"1","y":"2","z":"3"}
BUT the client.secrets.kv.v2.create_or_update_secret call does e.g. this (actual values replaced):
POST /v1/secret/data/foo/bar/baz HTTP/1.1
Host: localhost:8200
User-Agent: python-requests/2.21.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
X-Vault-Token: [REDACTED FOR DEMO]
Content-Length: [REDACTED FOR DEMO]
Content-Type: application/json
{"options": {}, "data": {"x": "1", "y": "2", "z": "3"}}
Notable differences are a POST vs. PUT, and the structure of the payload.
For whatever reason, this causes a permission denied error (403) for hvac, but the vault client succeeds.
At a guess, maybe the docs are wrong? As the Vault client does not seem to conform to the docs (but hvac does).
Are you able to replicate?
bug kvThis is another big PR so apologies in advance. This PR fixes issue #525 and arises from the discussion therein.
This PR does one thing: create a new JSONAdapter and makes it the default. The "JSON adapter" works just like the previous "Request" adapter except the return value uses the following logic:
if response.status_code == 200:
try:
return response.json()
except ValueError:
pass
return response
The net result is that all client functions now have consistent logic regarding what they return. As a result, all instances of the following client logic have been removed:
return response.json()
and
if response.status_code == 204:
return response
else:
return response.json()
This will likely cause some breaking changes for some users, especially with regards to the direct client.[read,list,write,delete] methods as they will no longer throw a ValueError from assuming the response always contains a JSON body.
This builds on #739 and closes #582.
I think besides dropping Python 2 support, Python 3.6 and older should be dropped as well as they are EOL. This library should track with Python version support.
Same TODO as mentioned in #739
https://github.com/hvac/hvac/blob/master/hvac/v1/init.py#L687
The latest version of vault does not seem to return the same json.
There seems to be a similar change with list_auth_backends but that doesn't throw an exception. I'll submit something if I'm not missing something.
I am getting hvac.exceptions.InvalidPath: no handler for route 'secret/data/kv' error while trying to read KV 2 via hvac.
does anyone run into the same problem?
hvac==0.9.2
vault 1.1.2
CentOS 7.6
cluster_name = "dc1" max_lease_ttl = "768h" default_lease_ttl = "768h"
disable_clustering = "False" cluster_addr = "http://127.0.0.1:8201" api_addr = "http://127.0.0.1:8200"
plugin_directory = "/usr/local/lib/vault/plugins"
listener "tcp" { address = "127.0.0.1:8200" cluster_address = "127.0.0.1:8201" tls_disable = "true" }
storage "file" { path = "/var/vault" }ui = true
#!/usr/bin/python
import hvac
client = hvac.Client(url='http://127.0.0.1:8200', token='
print client.is_authenticated()
secret_version_response = client.secrets.kv.v2.read_secret_version( path='kv', )
True
Traceback (most recent call last):
File "./p1.py", line 10, in
I get the following error when I try to get credentials from an sts endpoint. Below is the error.
Response { "errorMessage": "Error assuming role: InvalidParameter: 1 validation error(s) found.\n- minimum field value of 900, AssumeRoleInput.DurationSeconds.\n, on put https://vault.endpoint.com/v1/aws/sts/vault-policy", "errorType": "InvalidRequest", "stackTrace": [ " File "/var/task/lambda_function.py", line 54, in lambda_handler\n print(hvac.api.secrets_engines.Aws.generate_credentials(client, 'lambda_china_staging', role_arn='arn:aws:iam::1234567890:role/VaultAssumeRoleDummy', endpoint='sts', ttl='3600s'))\n", " File "/var/task/hvac/api/secrets_engines/aws.py", line 397, in generate_credentials\n params=params,\n", " File "/var/task/hvac/adapters.py", line 139, in put\n return self.request("put", url, **kwargs)\n", " File "/var/task/hvac/adapters.py", line 369, in request\n response = super().request(*args, **kwargs)\n", " File "/var/task/hvac/adapters.py", line 336, in request\n method, url, response.status_code, text, errors=errors\n", " File "/var/task/hvac/utils.py", line 36, in raise_for_error\n raise exceptions.InvalidRequest(message, errors=errors, method=method, url=url)\n" ] } Request: hvac.api.secrets_engines.Aws.generate_credentials(client, 'lambda_china_staging', role_arn='arn:aws:iam::1234567890:role/VaultAssumeRoleDummy', endpoint='sts', ttl='3600s')
I'm building a AWS Lambda Layer to share between my lambdas. To create the lambda layer package and upload to my S3 bucket I'm using the following script:
#!/usr/bin/env bash
bucket_name="$1"
lambda_layer_package="$2"
python3 -m venv python
. './python/bin/activate'
python3 -m pip install \
-r 'requirements.txt' \
--trusted-host 'artifactory.myhost.com' \
--proxy 'http://myproxy.myhost.com:3128' \
--index-url 'https://artifactory.myhost.com/artifactory/api/pypi/pypi.org/simple'
deactivate
rm -rf './python/bin'
rm -rf './python/include'
rm -rf './python/pyvenv.cfg'
zip -r "${lambda_layer_package}" './python' &>/dev/null
aws s3 cp \
"${lambda_layer_package}" \
"s3://${bucket_name}/lambda_layers/${lambda_layer_package}" \
--acl 'private'
I have another lambda layer that uses this same script to create a layer with boto3, jinja2 and requests and everything works fine, but when I add hvac in my requirements.txt i get the error below:
Looking in indexes: https://artifactory.myhost.com/artifactory/api/pypi/pypi.org/simple
Collecting boto3
Downloading https://artifactory.myhost.com/artifactory/api/pypi/pypi.org/packages/packages/27/8e/ebd5c9bff881ba6bbc7d9a6e00766f6052a9b8579cc19a7ddafedc1500b9/boto3-1.26.38-py3-none-any.whl (132 kB)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ 132.7/132.7 KB 5.5 MB/s eta 0:00:00
Collecting hvac
Downloading https://artifactory.myhost.com/artifactory/api/pypi/pypi.org/packages/packages/8d/43/6532046afa7b20c352d2a8b68de1d1fd350104024edfb00bf486801712af/hvac-1.0.2-py3-none-any.whl (143 kB)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ 143.5/143.5 KB 9.8 MB/s eta 0:00:00
Collecting jmespath<2.0.0,>=0.7.1
Downloading https://artifactory.myhost.com/artifactory/api/pypi/pypi.org/packages/packages/31/b4/b9b800c45527aadd64d5b442f9b932b00648617eb5d63d2c7a6587b7cafc/jmespath-1.0.1-py3-none-any.whl (20 kB)
Collecting botocore<1.30.0,>=1.29.38
Downloading https://artifactory.myhost.com/artifactory/api/pypi/pypi.org/packages/packages/5e/35/c0660215b73e23e7edc84002d5c12a23208c5d4dcee9248d4b4d1a313860/botocore-1.29.38-py3-none-any.whl (10.3 MB)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ 10.3/10.3 MB 46.6 MB/s eta 0:00:00
Collecting s3transfer<0.7.0,>=0.6.0
Downloading https://artifactory.myhost.com/artifactory/api/pypi/pypi.org/packages/packages/5e/c6/af903b5fab3f9b5b1e883f49a770066314c6dcceb589cf938d48c89556c1/s3transfer-0.6.0-py3-none-any.whl (79 kB)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ 79.6/79.6 KB 1.6 MB/s eta 0:00:00
Collecting pyhcl<0.5.0,>=0.4.4
Downloading https://artifactory.myhost.com/artifactory/api/pypi/pypi.org/packages/packages/91/b0/dd4f1d01b77be3b66d9f550ed958b68fa553764be1d27c7d604906c06b42/pyhcl-0.4.4.tar.gz (61 kB)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ 61.1/61.1 KB 3.9 MB/s eta 0:00:00
Installing build dependencies: started
Installing build dependencies: still running...
Installing build dependencies: still running...
Installing build dependencies: still running...
Installing build dependencies: finished with status 'error'
error: subprocess-exited-with-error
ร pip subprocess to install build dependencies did not run successfully.
โ exit code: 1
โฐโ> [8 lines of output]
Looking in indexes: https://artifactory.myhost.com/artifactory/api/pypi/pypi.org/simple
WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'ConnectTimeoutError(<pip._vendor.urllib3.connection.HTTPSConnection object at 0x7f7724a00220>, 'Connection to artifactory.myhost.com timed out. (connect timeout=15)')': /artifactory/api/pypi/pypi.org/simple/setuptools/
WARNING: Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'ConnectTimeoutError(<pip._vendor.urllib3.connection.HTTPSConnection object at 0x7f772426bd60>, 'Connection to artifactory.myhost.com timed out. (connect timeout=15)')': /artifactory/api/pypi/pypi.org/simple/setuptools/
WARNING: Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'ConnectTimeoutError(<pip._vendor.urllib3.connection.HTTPSConnection object at 0x7f772426b1f0>, 'Connection to artifactory.myhost.com timed out. (connect timeout=15)')': /artifactory/api/pypi/pypi.org/simple/setuptools/
WARNING: Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'ConnectTimeoutError(<pip._vendor.urllib3.connection.HTTPSConnection object at 0x7f772426b610>, 'Connection to artifactory.myhost.com timed out. (connect timeout=15)')': /artifactory/api/pypi/pypi.org/simple/setuptools/
WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'ConnectTimeoutError(<pip._vendor.urllib3.connection.HTTPSConnection object at 0x7f7723c26c10>, 'Connection to artifactory.myhost.com timed out. (connect timeout=15)')': /artifactory/api/pypi/pypi.org/simple/setuptools/
ERROR: Could not find a version that satisfies the requirement setuptools (from versions: none)
ERROR: No matching distribution found for setuptools
[end of output]
note: This error originates from a subprocess, and is likely not a problem with pip.
error: subprocess-exited-with-error
ร pip subprocess to install build dependencies did not run successfully.
โ exit code: 1
โฐโ> See above for output.
note: This error originates from a subprocess, and is likely not a problem with pip.
If I look into my artifactory repository, accessing the path https://artifactory.myhost.com/artifactory/api/pypi/pypi.org/simple/setuptools/, setuptools exists from the oldest version to the recent 65.6.3.
When listing namespaces the API throws an exception if no namespaces are found.
Example Code:
try:
ns_client = hvac.Client(url="https://vault.company.org", namespace="some_namespace", token="some_token")
sub_namespaces = ns_client.sys.list_namespaces()
except Exception as e:
import traceback
logging.error(f"Err: {e}")
print(traceback.format_exc())
yields:
2022-12-20 14:17:18,461 - DEBUG - https://vault.company.org:443 "LIST /v1/sys/namespaces HTTP/1.1" 404 14
2022-12-20 14:17:18,462 - ERROR - Err: None, on list https://vault.company.org/v1/sys/namespaces
Traceback (most recent call last):
File "C:\Path\to\Project\sync_vault_config.py", line 56, in get_namespaces
sub_namespaces = ns_client.sys.list_namespaces()
File "C:\Path\to\Project\venv\lib\site-packages\hvac\api\system_backend\namespace.py", line 30, in list_namespaces
return self._adapter.list(
File "C:\Path\to\Project\venv\lib\site-packages\hvac\adapters.py", line 164, in list
return self.request("list", url, **kwargs)
File "C:\Path\to\Project\venv\lib\site-packages\hvac\adapters.py", line 356, in request
response = super().request(*args, **kwargs)
File "C:\Path\to\Project\venv\lib\site-packages\hvac\adapters.py", line 322, in request
utils.raise_for_error(
File "C:\Path\to\Project\venv\lib\site-packages\hvac\utils.py", line 42, in raise_for_error
raise exceptions.InvalidPath(message, errors=errors, method=method, url=url)
hvac.exceptions.InvalidPath: None, on list https://vault.company.org/v1/sys/namespaces
The API works as intended as long as namespaces are found, the error only occurs when the API yields a 404. When looking into the Vault CLI / UI they simply show an empty list / nothing.
Maybe hvac could return either None or [] in case of non-existing namespaces?
Drops 3.6 from CI as it is not supported by the latest os images. Since 3.6 will soon be dropped, now is as good of a time as any to update the jobs.
Signed-off-by: Colin McAllister [email protected]
CI/CDThe patch function in hvac requires the get role capability in associated policy to run successfully, which shouldn't be the case. The patch capability should be enough to run the patch function(vault kv patch works as expected with the patch capability role).
Screenshot of the error:
role_name parameter to auth.token.create_orphan. GH-891Breakfix release to revert some unintended post-1.0 requirements changes.
six & requests Requirements Changes . GH-768Note: This is actually and truly (๐) intended to by the last hvac release supporting Python 2.7.
Starting with hvac version 1.0.0, Python versions >=3.6 will be the only explictly supported versions.
Requirements - Cleanup & Upgrades (install_requires => requests>=2.25.1 ). GH-741
use_token param. GH-746cert Parameter From Client into Adapter Class. GH-743verify Behavior . GH-745Thanks to @Tylerlhess, @anhdat, @ayav09, @bobmshannon, @bpatterson971, @briantist, @cmanfre4, @jeffwecan, Chris Manfre and tyhess for their lovely contributions..
Source code(tar.gz)Note: This is intended to by the last hvac release supporting Python 2.7.
Starting with hvac version 1.0.0, Python versions >=3.6 will be the only explicitly supported versions.
Userpass: Add use_token param on login(), Accept passthrough **kwargs on create user . GH-733
create_or_update_user(). GH-714token_ttl & token_max_ttl Arguments to ldap.configure(). GH-707Client() k8s methods. GH-732Client() approle methods. GH-731Client() Methods. GH-730python_requires='>=2.7' to setuptools Metadata. GH-727black Formatting + Updated PR Actions Workflow. GH-726Thanks to @el-deano, @intgr, @jeffwecan, @pjaudiomv, @tp6783 and tyhess for their lovely contributions.
Source code(tar.gz)Cert.login(). GH-712Cert.login() Conditional for Python 2.7 Syntax Support. GH-708Thanks to @jeffwecan for their lovely contributions.
Source code(tar.gz)group_type argument in update_group and create_or_update_group_by_name. GH-703Thanks to @Tylerlhess, @jeffwecan, @matusf, @mblau-leaffilter and tyhess for their lovely contributions.
Source code(tar.gz)delete_version_after KvV2 Param - configure() / `update_metadata(). GH-694Thanks to @jeffwecan for their lovely contributions.
Source code(tar.gz)policies Parameter to Userpass create_or_update_user() Method. GH-562read_secret() Method for KVv2 Class. GH-686Thanks to @jeffwecan, @mblau-leaffilter, @nicholaswold, @sshishov, @tirkarthi, @tomwerneruk and @vamshideveloper for their lovely contributions.
Source code(tar.gz)Thanks to @JPoser, @fhemberger, @jeffwecan, @lperdereau and jposer for their lovely contributions.
Source code(tar.gz)Thanks to @blag, @devlounge, @jeffwecan and @jonZlotnik for their lovely contributions.
Source code(tar.gz)Thanks to @jeffwecan, @krish7919 and Krish for their lovely contributions.
Source code(tar.gz)Thanks to @Angeall, @JJCella, @briantist, @derBroBro, @discogestalt, @dogfish182, @el-deano, @ghTravis, @godara01, @jeffwecan, @leongyh, @phickey, @tienthanh2509, @tmcolby and @trixpan for their lovely contributions.
Source code(tar.gz)Thanks to @akdor1154, @jeffwecan, @ns-jshilkaitis and @trishankatdatadog for their lovely contributions.
Source code(tar.gz)Thanks to @jeffwecan, @jm96441n and @pnijhara for their lovely contributions.
Source code(tar.gz)Thanks to @finarfin and @jeffwecan for their lovely contributions.
Source code(tar.gz)Thanks to @TerryHowe, @and-semakin, @jeffwecan, @jschlyter, @jzck, @mdelaney and @scarabeusiv for their lovely contributions.
Source code(tar.gz)Note: GH-537 changes some methods' return types from None to a request.Response
instance. For instance the client.secrets.identity.lookup_entity now returns a Response[204] (truthy) value instead of
None (falsy) when the lookup returns no results.
This change was made to simplify maintenance of response parsing within the hvac code base.
Thanks to @jeffwecan, @llamasoft and @msuszko for their lovely contributions.
Source code(tar.gz)Note: GH-533 includes fundamental behavior involving sending parameters to API requests to Vault. Many hvac method parameters that would have been sent with default arguments no longer are included in requests to Vault. Notably, the following behavioral changes should be expected (copied from the related PR comments):
Azure:
create_role parameter policies now accepts CSV string or list of stringsDatabase:
create_role documentation updated to something meaningful ๐GCP:
configure parameter google_certs_endpoint is deprecatedcreate_role parameter project_id is deprecated by bound_projects (list)GitHub:
configure is missing a lot of parametersLDAP:
configure parameters user_dn and group_dn made optional
hvac/constants/ldap.py file removed as it is no longer usedMFA:
Okta:
configure parameter base_url default value now differs from API documentation
register_user, read_user, and delete_user duplicate URL parameter username in JSON payload
delete_group, but register_group and list_group correctly omit itPKI:
sign_data and verify_signed_data optional parameter marshaling_algorithm addedRADIUS:
configure is missing a lot of parametersregister_user attempted to convert username string into a CSV list (?!) for POST data
username is extracted from URL path in Vault serverregister_user parameter policies never actually passed as parameterSystem Backend:
enable_auth_method parameter plugin_name is deprecatedenable_audit_device optional parameter local was addedinitialize provides default for required API parameters secret_shares and secret_thresholdstart_root_token_generation parameter otp is deprecatedMisc:
**kwargs (e.g. hvac/api/system_backend/auth.py)*args and **kwargs (e.g. hvac/api/secrets_engines/active_directory.py)hvac/api/secrets_engines/pki.py uses extra_params={}hvac/api/auth_methods/ldap.py configure uses user_dn instead of userdnhvac/api/system_backend/auth.py configure uses method_type instead of typettl, max_ttl, policies, period, num_uses and a few other fields are deprecated as of Vault version 1.2.0
Thanks to @findmyname666, @llamasoft, @moisesguimaraes, @philherbert and Adrian Eib for their lovely contributions.
Source code(tar.gz)Thanks to @DaveDeCaprio, @Dowwie, @drewmullen, @jeffwecan, @llamasoft and @vamshideveloper for their lovely contributions.
Source code(tar.gz)Thanks to @jeffwecan and @vamshideveloper for their lovely contributions.
Source code(tar.gz)Thanks to @Tylerlhess, @drewmullen and @jeffwecan for their lovely contributions.
Source code(tar.gz)generate_credentials request method to GET. GH-475Thanks to @donjar, @fhemberger, @jeffwecan, @stevefranks and @stevenmanton for their lovely contributions.
Source code(tar.gz)BUG FIXES:
IMPROVEMENTS:
enable_auth_method(), tune_auth_method(), enable_secrets_engine(), tune_mount_configuration() system backend method now take arbitrary **kwargs parameters to provide greater support for variations in accepted parameters in the underlying Vault plugins.num_uses, change bound_location -> bound_locations and bound_resource_group_names -> bound_resource_groups. GH-452MISCELLANEOUS:
Thanks to @denisvll, @Dudesons, and @drewmullen for their lovely contributions.
Source code(tar.gz)BUG FIXES:
IMPROVEMENTS:
MISCELLANEOUS:
delete_roleset() method added to GCP secrets engine support. GH-449Thanks to @nledez and @drewmullen for their lovely contributions.
Source code(tar.gz)BUG FIXES:
IMPROVEMENTS:
MISCELLANEOUS:
Thanks to @paulcaskey, @stevenmanton, @brad-alexander, @yoyomeng2, @JadeHayes, @Dudesons for their lovely contributions.
Source code(tar.gz)BUG FIXES:
Thanks to @eltoder and @andytumelty for their lovely contributions.
Source code(tar.gz)BUG FIXES:
initialize() method recovery_shares and recovery_threshold parameter validation regression. GH-416Dns-client-server DNS Server: supporting all types of queries and replies. Shoul
Raphtory Client This is the python client for the Raphtory project Install via p
drcom-pt-client Drcom Pt version client with refresh timer Dr.com Pt็ๆฌๅฎขๆท็ซฏ ๅฏ็จไบ็ฝ้กต่ฎค
MonkeyLearn API for Python Official Python client for the MonkeyLearn API. Build and run machine learning models for language processing from your Pyt
??๏ธ Asynchronous Python client for the P1 Monitor
Google API Client This is the Python client library for Google's discovery based APIs. To get started, please see the docs folder. These client librar
Arista eAPI Python Library The Python library for Arista's eAPI command API implementation provides a client API work using eAPI and communicating wit
Close API A convenient Python wrapper for the Close API. API docs: http://developer.close.com Support: [email protected] Installation pip install clos
pyCoinPayments - Python API client for CoinPayments Updates This library has now been converted to work with python3 This is an unofficial client for
โ ๏ธ DEPRECATED This repository is no longer maintained. You can still use a REST client like Requests or other third-party Python library to access the
foursquare Python client for the foursquare API. Philosophy: Map foursquare's endpoints one-to-one Clean, simple, Pythonic calls Only handle raw data,
A python wrapper around HubSpot's APIs, for python 3.5+. Built initially around hapipy, but heavily modified. Check out the documentation here! (thank
This project is not actively maintained. Proceed at your own risk! python-instagram A Python 2/3 client for the Instagram REST and Search APIs Install
The Kite Connect API Python client - v3 The official Python client for communicating with the Kite Connect API. Kite Connect is a set of REST-like API
newsapi-python A Python client for the News API. License Provided under MIT License by Matt Lisivick. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRAN
A SmartFile Open Source project. Read more about how SmartFile uses and contributes to Open Source software. Summary This library includes two API cli
sodapy sodapy is a python client for the Socrata Open Data API. Installation You can install with pip install sodapy. If you want to install from sour
Pyechonest Tap into The Echo Nest's Musical Brain for the best music search, information, recommendations and remix tools on the web. Pyechonest is an
PyTumblr Installation Install via pip: $ pip install pytumblr Install from source: $ git clone https://github.com/tumblr/pytumblr.git $ cd pytumblr $
1 Feb 15, 2022
5 Apr 28, 2022
4 Nov 16, 2022
157 Nov 22, 2022
9 Dec 12, 2022
6.2k Jan 8, 2023
124 Nov 23, 2022
56 Nov 30, 2022
27 Sep 21, 2022
483 Dec 31, 2022
400 Dec 19, 2022
140 Dec 21, 2022
2.9k Dec 30, 2022
756 Jan 6, 2023
281 Dec 29, 2022
19 Jan 11, 2022
368 Dec 9, 2022
655 Dec 29, 2022
677 Dec 21, 2022