Vault
- enum q2_sdk.core.vault.StorageLevel(value)[source]
Valid values are as follows:
- Institution = <StorageLevel.Institution: 'institution'>
- Stack = <StorageLevel.Stack: 'stack'>
- class q2_sdk.core.vault.SearchReplacements(institution_id=None, stack_id=None)[source]
SearchReplacements(institution_id: Optional[str] = None, stack_id: Optional[str] = None)
- class q2_sdk.core.vault.RecentVaultKey(prefix, key, success)[source]
RecentVaultKey(prefix: str, key: str, success: bool)
- class q2_sdk.core.vault.RecentKeysStack(max_size)[source]
Configure RecentKeys to work with forked mode
- class q2_sdk.core.vault.LocalPathConfig(cert_name, institution, hq_credentials, env)[source]
LocalPathConfig(cert_name: str, institution: str, hq_credentials: q2_sdk.hq.models.hq_credentials.HqCredentials, env: str)
- class q2_sdk.core.vault.Q2Vault(addr, token, allow_local=True, logger=<RootLogger root (INFO)>, timeout=3)[source]
Class for interacting with Hashicorp’s Vault (https://www.vaultproject.io)
- read(key, *, level=StorageLevel.Stack, replacements=None, default=None, **kwargs)[source]
Vault stores data at paths like a filesystem. We utilize the base path secret/ABA for historical reasons, then your data can be stored below that at various locations depending on your needs.
In order of most to least specific data storage location, we have:
- Stack
Each Database in Q2 gets a unique id assigned to it. This is available in settings.VAULT_KEY
- Institution
This will tie to the value in settings.COMPANY if it exists, or settings.HQ_CREDENTIALS.aba if it does not
- Parameters:
key – Keyname in Vault
level (
StorageLevel) – To specify Stack or Institution storage locationreplacements (SearchReplacements) – Provided as a way to query a different FI than the one configured for this service. Useful in multitenant scenarios
default – Value to return if data does not exist at the specified location
- Return type:
dict
- read_raw(key, *, prefix='secret/ABA')[source]
Catchall way of interacting with Vault directly if one of the more specific helper functions doesn’t do the trick
- write(path, body=<class 'dict'>, prefix='secret/ABA')[source]
This is only possible if appropriate authorization (Vault Policies) are tied to the active vault token.
If configured with a local vault directory, writes will always be allowed.
- get_certificate(cert_name, hq_credentials, env='default', as_obj=False)[source]
Gets a certificate from vault or local disk cache if available. Local certificate cache is good for 300 seconds.
Looks up one of two paths:
If VAULT_SCOPED_READ is True in settings:
{institution}/certs/{cert_name}where{institution}is either settings.COMPANY or hq_credentials.ABAIf VAULT_SCOPED_READ is False in settings:
{ABA}_certs/{env}/{cert_name}
If VAULT_SCOPED_READ is True, it will still fall through to old behavior if cert is not found at new location.
- Parameters:
cert_name (
str) – Last part of the path in Vaulthq_credentials (
HqCredentials) – Used to specify the first part of the path in Vaultenv (
str) – Middle part of the path in Vault (ignored if VAULT_SCOPED_READ is True)as_obj (
bool) – If True, will return a Certificate object, with .key and .cert properties as well as .path
- Return type:
Union[str,Certificate]
- get_smart_token(key)[source]
Helper for getting Q2Smart token for this SDK instance
- Return type:
str
- q2_sdk.core.vault.get_token()[source]
Gets vault_token from either the filesystem or an environment variable
- Return type:
str