Where communities thrive

  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
  • 02:28
    mjs commented #811
  • May 15 15:28
    colin-pm commented #809
  • May 11 21:49
    colin-pm edited #811
  • May 11 21:18
    colin-pm review_requested #811
  • May 11 21:18
    colin-pm opened #811
  • May 06 22:03
    tachyonknave review_requested #810
  • May 06 22:03
    tachyonknave opened #810
  • May 04 18:16
    rajmaradia commented #809
  • May 02 18:11

    jeffwecan on develop

    Drop funding bit add "help wanted" callout to re… (compare)

  • May 02 18:07
    jeffwecan pinned #809
  • May 02 18:07
    jeffwecan labeled #809
  • May 02 18:07
    jeffwecan opened #809
  • May 02 17:27
    pgajdos commented #582
  • Apr 30 20:28
    bdastur commented #808
  • Apr 30 19:14
    bdastur opened #808
  • Apr 21 16:40
    Tylerlhess commented #806
  • Apr 20 10:18
    LuckySB edited #807
  • Apr 20 10:18
    LuckySB edited #807
  • Apr 20 10:17
    LuckySB edited #807
  • Apr 20 10:16
    LuckySB opened #807
Jayaprakash Reddy


missing client token error coming from hashicorp vault code https://github.com/hashicorp/vault/blob/2b0d837d7082479d530e961e35e4fa74d9caad5c/vault/request_handling.go#L126

Note client.auth.aws.configure method makes API call to vault endpoint v1/auth/aws/config. Which requires token with proper policy attached to read that path. This is one time activity to initialize AWS auth method with any region.

But login request client.auth_aws_iam don't require X-Vault-Token header.

For your use case:
Consider enabling AWS auth method with required region using CLI or following API call with valid vault token.

"secret_key": "vCtSM8ZUEQ3mOFVlYPBQkf2sO6F/W7a5TVzrl3Oj",
"endpoint": "https://sts.eu-west-1.amazonaws.com"

$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \

Then use Lambda function to call client.auth_aws_iam without any token as input.

Hope It helps

Gal Krispel
@JUSTPERFECT thanks! I actually realized that right after I posted this question, got this one working , thanks again!
Greg Maxwell
Need help on how to do the following in hvac.
vault write auth/ldap/groups/tools policies=aws
is this just writing a secret?
Also is there some way to change the default policy for ldap at configurations?
Balder Lindblom
What do you mean by default policy at configuration?
Hi, I am new to hvac. I am trying just to connect to vault
def main(): client = hvac.Client(url='https://domain/ui/vault/secrets', token=os.environ['VAULT_TOKEN'], cert=(client_cert_path, client_key_path)) client.is_authenticated()
I get exception for code snippet above:
requests.exceptions.SSLError: HTTPSConnectionPool(host='vault.domain.com', port=443): Max retries exceeded with url: /ui/vault/secrets/v1/auth/token/lookup-self (Caused by SSLError(SSLError(336445449, '[SSL] PEM lib (_ssl.c:3503)'),))
Any idea whats wrong? bad cert? Should i enable something on vault server side?
I can login with vault login with token above no problem
Using no certificate and just url and VAULT_TOKEN results in:
requests.exceptions.SSLError: HTTPSConnectionPool(host='vault.domain.com', port=443): Max retries exceeded with url: /ui/vault/secrets/v1/auth/token/lookup-self (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
@Vox1984 did you check certificates configuration on the server?
i really do not think this has anything to do with hvac
thats strange, I use the same certs for tls as server.
I can connect to port no problem with telnet
but I have still
Error(1, '[SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:852)'),))
Dustin Heywood
Hey folks, quick question, how hard would it be to extend hvac to support SSH-CA https://www.vaultproject.io/api/secret/ssh and https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates
right now I'm doing super dirty automation with python and making the json directly but it might be handy, or it might be supported and I'm just missing it
I am having an issue where I try to authenticate with kubernetes with setting useToken to false and it is still trying to use the token to authenticate
Jacob Floyd
I need to write unit tests for a stackstorm-vault a simple wrapper around hvac. My pull request for that project just migrates from deprecated hvac APIs to the latest APIs: StackStorm-Exchange/stackstorm-vault#17
Does hvac have anything that could simplify writing these tests? A mock vault or something?
cognifloyd (Jacob Floyd)
testing the matrix bridge
It looks like there is some good test infra, but it is not included in the hvac module. So, I think that means I need a git checkout of hvac to reuse any testing scripts/modules/classes.
Jeffrey Hogan
@cognifloyd we actually have a very old issue covering the same sort of thought: hvac/hvac#99
I'm hoping to find some time for hvac development work in earnest again soon so I'll take a look at it again if I'm able :)
cognifloyd (Jacob Floyd)
Sounds good. For now here's my hack to "include" the relevant parts of the hvac test infra in my own tests: https://github.com/StackStorm-Exchange/stackstorm-vault/pull/19/files#diff-bb41de0f7374b35eb53e4a61947b5aedc01637405fa4a748c1a9aac1180ba250
Scott Hall

I'm trying to create an approle using hvac the follwing vault client command works:
vault write -ns=private_cloud/blue auth/approle/role/111111_itg_appwriter token_policies="0111111_itg_appwriter"

I couldn't find a special call in the hvac for approles so i tried just doing a client.write as follwing:
path = f"auth/approle/role/{pol_appreader}_auth"
values = f"token_policies=\"{pol_appreader}\" token_ttl=1h token_max_ttl=24h secret_id_ttl=24h"
result = client.write( path, values,)

But I get an error for invalid duration, has anyone used hvac to write approles? Any help would be great.
hvac.exceptions.InvalidRequest: error parsing X-Vault-Wrap-TTL header: time: invalid duration token_policies="211395_dev_appreader" token_ttl=1h token_max_ttl=24h secret_id_ttl=24h, on post https://<server>/v1/auth/approle/role/211395_dev_appreader_auth

Hi, I think i have found a small issue in hvac aws secrets_engines"
Shouldn’t the path point to "role" instead of "roles" when we are using read_role ?
Pavan Patharde
Hi All hvac is working well with vault in 1.18 k8s where as does not work with 1.15... Any thing to keep in mind?
Pavan Patharde
v1/sys/in it
Hi all, we have a library that is an extension of hvac and I'm wondering if there is room to move some, maybe all of the code into hvac? It is considered "higher level" functionality over the api. Anyone here to discuss this? Link to code: https://github.com/schubergphilis/hashivaultlib/blob/master/hashivaultlib/hashivaultlib.py

Sorry if I'm missing something obvious, but I'm trying to address this deprecation when creating an orphan token:

DeprecationWarning: Call to deprecated function 'create_token'. This method will be removed in version '1.0.0' Please use the 'create' method on the 'hvac.api.auth_methods.token' class moving forward.

where the old create_token call specifies orphan=True. Looking at auth.token.create there is a no_parent argument and a note in the comments:

Certain options are only available when called by a root token. If used via the /auth/token/create-orphan endpoint, a root token is not required to create an orphan token (otherwise set with the no_parent option).

I am not using a root token here, but I don't see how to specify the create-orphan endpoint. With the old function it would branch to using that endpoint if orphan was True, but I don't see any way to do that with the new one.

Mohit Kumar Sharma
Hi Guys
i am not able to login using kubernwtes method
can someone help me ?
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='vault.vaultexxxx.com', port=443): Max retries exceeded with url: /v1/auth/kubernetes/login (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f4d1dc1b0d0>: Failed to establish a new connection: [Errno 111] Connection refused’
Tobias Macey
I'm working on scripting the initialization of a Vault cluster configured to use the auto-unseal mechanism with AWS KMS. I am able to initialize the cluster, but when I then try to enable a userpass auth backend it throws an error about the cluster being sealed. I tried adding a while client.sys.is_sealed() loop but that doesn't seem to have any effect. How have folks managed that flow? I'm trying to do this in the context of bootstrapping the cluster to hand off to Pulumi/Terraform
Casey Reed
havent seen recent movement in this room, using hvac==0.11.2 and when I attempt to run my hvac.client.auth.aws.configure to point to the correct regional sts endpoint, I always get a 'missing client token' error. I am attempting to authenticate via credentials fetched from the boto3.session() and consistently get this single error. I am authenticating to aws via a namespace specified in my hvac.client. anyone else down this rabbit hole?
Mike H
Hi, is there interest in a PR for Vault password policies (create/read/delete) and password generation? Seems to be missing at present.
Jerry Wiltse
Hi I'm using client for first time to do simple key read from an enterprise server and getting 404. It looks like it's using the following URL from the logs: https://server/v1/secret/data/mypath. But, looking at our working CURL, the https://server/v1/<my_namespace>/data/mypath. I initialized the client with client = hvac.Client(namespace=my_namespace, ...) and it seems to have no effect. Any ideas?
It's also troubling that I'm calling client.secrets.kv.v2.read_secret_version and the URL in the error clearly shows /v1
Jerry Wiltse
ok, so it's a mount_point
praneeth papishetty

Hello all. hope everyone is doing good.
Anyone know a good way to mock the vault client for a unit test using pytests?
I tried https://stackoverflow.com/questions/54326123/how-to-mock-vault-hvac-client-method but I am getting below error
AttributeError: 'NoneType' object has no attribute 'read'

my code is not recognize the read method

Rhituraj Sen
I am looking for a help list all secrets name using python... any help would be appreciated