hvac

🐛 Bug Fixes

• fix wrapped response for auth.token.create (GH-966)

Thanks to @briantist for their lovely contributions.

BUG FIXES:

• Fix kubernetes auth method list roles method. GH-466
• Enable consul secrets engine. GH-460
• Enable database secrets engine. GH-455
• Many fixes for the database secrets engine. GH-457

IMPROVEMENTS:

• The enable_auth_method(), tune_auth_method(), enable_secrets_engine(), tune_mount_configuration() system backend method now take arbitrary **kwargs parameters to provide greater support for variations in accepted parameters in the underlying Vault plugins.
• Azure auth params, add num_uses, change bound_location -> bound_locations and bound_resource_group_names -> bound_resource_groups. GH-452

MISCELLANEOUS:

• The hvac project now has gitter chat enabled. Feel free to check it out for any online discussions related to this module at: gitter.im/hvac/community! GH-465
• Added Vault agent socket listener usage example under the "advanced usage" documentation section at: hvac.readthedocs.io GH-468

Thanks to @denisvll, @Dudesons, and @drewmullen for their lovely contributions.

BUG FIXES:

• Fix Azure list roles GH-448

IMPROVEMENTS:

• Support for the PKI secrets engine. GH-436

MISCELLANEOUS:

• delete_roleset() method added to GCP secrets engine support. GH-449

Thanks to @nledez and @drewmullen for their lovely contributions.

BUG FIXES:

• Update path to azure.login() GH-429
• AWS secrets engine generate credentials updated to a post request. GH-430

IMPROVEMENTS:

• Support for the Radius auth method. GH-420
• Support for the Database secrets engine. GH-431
• Add the consul secret engine support GH-432
• Support for the GCP secrets engine. GH-443

MISCELLANEOUS:

• Remove logger call within adapters module GH-445
• Add docs for auth_cubbyhole GH-427

Thanks to @paulcaskey, @stevenmanton, @brad-alexander, @yoyomeng2, @JadeHayes, @Dudesons for their lovely contributions.

BUG FIXES:

• Fix priority of client url and VAULT_ADDR environment variable. GH-423
• Update setup.py to only compile hvac package. GH-418

Thanks to @eltoder and @andytumelty for their lovely contributions.

BUG FIXES:

• Fix initialize() method recovery_shares and recovery_threshold parameter validation regression. GH-416

BACKWARDS COMPATIBILITY NOTICE:

• The Client() class constructor now behaves similarly to Vault CLI in that it uses the VAULT_ADDR environmental variable for the Client URL when that variable is set. Along the same lines, when no token is passed into the Client() constructor, it will attempt to load a token from the VAULT_TOKEN environmental variable or the ~/.vault-token file where available. GH-411

IMPROVEMENTS:

• Support for the Kubernetes auth method. GH-408

BUG FIXES:

• Fix for comparision recovery_threshold and recovery_shares during initialization. GH-398
• Fix request method for AWS secrets engine generate_credentials() method. GH-403
• Fix request parameter (n_bytes -> bytes) for Transit secrets engine generate_random_bytes() method. GH-377

Thanks to @engstrom, @viralpoetry, @bootswithdefer, @steved, @kserrano, @spbsoluble, @uepoch, @singuliere, @frgaudet, @jsporna, & @mrsiesta for their lovely contributions.

IMPROVEMENTS:

• Support for the AWS secrets engine. GH-370

BUG FIXES:

• Fixes for intermittent test case failures. GH-361 & GH-364

MISCELLANEOUS:

• Travis CI builds now run against Python 3.7 (along side the previously tested 2.7 and 3.6 versions). GH-360
• Documentation build test case added. GH-366
• Module version now managed by the bumpversion utility exclusively. GH-369

IMPROVEMENTS:

• Support for the Okta auth method. GH-341

BUG FIXES:

• Simplify redirect handling in Adapter class to fix issues following location headers with fully qualified URLs. Note: hvac now converts // to / within any paths. GH-348
• Fixed a bug where entity and group member IDs were not being passed in to Identity secrets engine group creation / updates. GH-346
• Ensure all types of responses for the read_health_status() system backend method can be retrieved without exceptions being raised. GH-347
• Fix read_seal_status() in Client class's seal_status property. GH-354

DOCUMENTATION UPDATES:

• Example GCP auth method login() call with google-api-python-client usage added: Example with google-api-python-client Usage. GH-350

MISCELLANEOUS:

• Note: Starting after release 0.7.0, develop is the main integration branch for the hvac project. The master branch is now intended to capture the state of the most recent release.
• Test cases for hvac are no longer included in the release artifacts published to PyPi. GH-334
• The create_or_update_policy system backend method now supports a "pretty_print" argument for different JSON formatting. This allows create more viewable policy documents when retrieve existing policies (e.g., from within the Vault UI interface). GH-342
• Explicit support for Vault v0.8.3 dropped. CI/CD tests updated to run against Vault v1.0.0. GH-344

DEPRECATION NOTICES:

• All auth method classes are now accessible under the auth property on the hvac.Client class. GH-310. (E.g. the github, ldap, and mfa Client properties' methods are now accessible under Client.auth.github, etc.)
• All secrets engines classes are now accessible under the secrets property on the hvac.Client class. GH-311 (E.g. the kv, Client property's methods are now accessible under Client.secrets.kv)
• All system backend classes are now accessible under the sys property on the hvac.Client class. GH-314 ([GH-314] through [GH-325]) E.g. methods such as enable_secret_backend() under the Client class are now accessible under Client.sys.enable_secrets_engine(), etc.

IMPROVEMENTS:

• Support for Vault Namespaces. GH-268
• Support for the Identity secrets engine. GH-269
• Support for the GCP auth method. GH-240
• Support for the Azure auth method. GH-286
• Support for the Azure secrets engine. GH-287
• Expanded Transit secrets engine support. GH-303

Thanks to @tiny-dancer, @jacquat, @deejay1, @MJ111, @jasonarewhy, and @alexandernst for their lovely contributions.

IMPROVEMENTS:

• New KV secret engine-related classes added. See the KV documentation under hvac's readthedocs.io site for usage / examples. GH-257 / GH-260

MISCELLANEOUS:

• Language classifiers are now being included with the distribution. GH-247
• Token no longer being sent in URL path for the Client.renew_token method. GH-250
• Support for the response structure in newer versions of Vault within the Client.get_policy method. GH-254
• config and plugin_name parameters added to the Client.enable_auth_backend method. GH-253

Thanks to @ijl, @rastut, @seuf, @downeast for their lovely contributions.

DEPRECATION NOTICES:

• The auth_github() method within the hvac.Client class has been marked as deprecated and will be removed in hvac v0.8.0 (or later). Please update any callers of this method to use the hvac.Client.github.login() instead.
• The auth_ldap() method within the hvac.Client class has been marked as deprecated and will be removed in hvac v0.8.0 (or later). Please update any callers of this method to use the hvac.Client.ldap.login() instead.

IMPROVEMENTS:

• New Github auth method class added. See the documentation for usage / examples. GH-242
• New Ldap auth method class added. See the documentation for usage / examples. GH-244
• New Mfa auth method class added. See the documentation for usage / examples. GH-255
• auth_aws_iam() method updated to include "region" parameter for deployments in different AWS regions. GH-243

DOCUMENTATION UPDATES:

• Additional guidance for how to configure hvac's Client class to leverage self-signed certificates / private CA bundles has been added at: Making Use of Private CA. GH-230
• Docstring for verify Client parameter corrected and expanded. GH-238

MISCELLANEOUS:

• Automated PyPi deploys via travis-ci removed. GH-226
• Repository transferred to the new "hvac" GitHub organization; thanks @ianunruh! GH-227
• Codecov (automatic code coverage reports) added. GH-229 / GH-228
• Tests subdirectory reorganized; now broken up by integration versus unit tests with subdirectories matching the module path for the code under test. GH-236

Thanks to @otakup0pe, @FabianFrank, @andrewheald for their lovely contributions.

BACKWARDS COMPATIBILITY NOTICE:

• With the newly added hvac.adapters.Request class, request kwargs can no longer be directly modified via the _kwargs attribute on the Client class. If runtime modifications to this dictionary are required, callers either need to explicitly pass in a new adapter instance with the desired settings via the adapter propery on the Client class or access the _kwargs property via the adapter property on the Client class.

See the Advanced Usage section of this module's documentation for additional details.

IMPROVEMENTS:

• sphinx documentation and readthedocs.io project added. GH-222
• README.md included in setuptools metadata. GH-222
• All tune_secret_backend() parameters now accepted. GH-215
• Add read_lease() method GH-218
• Added adapter module with Request class to abstract HTTP requests away from the Client class. GH-223

Thanks to @bbayszczak, @jvanbrunschot-coolblue for their lovely contributions.

IMPROVEMENTS:

• Update unwrap() method to match current Vault versions [GH-149]
• Initial support for Kubernetes authentication backend [GH-210]
• Initial support for Google Cloud Platform (GCP) authentication backend [GH-206]
• Update enable_secret_backend function to support kv version 2 [GH-201]

BUG FIXES:

• Change URL parsing to allow for routes in the base Vault address (e.g., https://example.com/vault) [GH-212].

Thanks to @mracter, @cdsf, @SiN, @seanmalloy, for their lovely contributions.

BACKWARDS COMPATIBILITY NOTICE:

• Token revocation now sends the token in the request payload. Requires Vault >0.6.5
• Various methods have new and/or re-ordered keyword arguments. Code calling these methods with positional arguments
  may need to be modified.

IMPROVEMENTS:

• Ensure mount_point Parameter for All AWS EC2 Methods [GH-195]
• Add Methods for Auth Backend Tuning [GH-193]
• Customizable approle path / mount_point [GH-190]
• Add more methods for the userpass backend [GH-175]
• Add transit signature_algorithm parameter [GH-174]
• Add auth_iam_aws() method [GH-170]
• lookup_token function POST token not GET [GH-164]
• Create_role_secret_id with wrap_ttl & fix get_role_secret_id_accessor [GH-159]
• Fixed json() from dict bug and added additional arguments on auth_ec2() method [GH-157]
• Support specifying period when creating EC2 roles [GH-140]
• Added support for /sys/generate-root endpoint [GH-131] / [GH-199]
• Added "auth_cubbyhole" method [GH-119]
• Send token/accessor as a payload to avoid being logged [GH-117]
• Add AppRole delete_role method [GH-112]

BUG FIXES:

• Always Specify auth_type In create_ec2_role [GH-197]
• Fix "double parasing" of JSON response in auth_ec2 method [GH-181]

Thanks to @freimer, @ramiamar, @marcoslopes, @ianwestcott, @marc-sensenich, @sunghyun-lee, @jnaulty, @sijis,
@Myles-Steinhauser-Bose, @oxmane, @ltm, @bchannak, @tkinz27, @crmulliner, for their lovely contributions.

IMPROVEMENTS:

• Added disallowed_policies parameter to create_token_role method [GH-169]

Thanks to @morganda for their lovely contribution.

IMPROVEMENTS:

• Add support for the period parameter on token creation [GH-167]
• Add support for the cidr_list parameter for approle secrets [GH-114]

BUG FIXES:

• Documentation is now more accurate [GH-165] / [GH-154]

Thanks to @ti-mo, @dhoeric, @RAbraham, @lhdumittan, @ahsanali for
their lovely contributions.

This is just the highlights, there have been a bunch of changes!

IMPROVEVEMENTS:

• Some AppRole support [GH-77]
• Response Wrapping [GH-85]
• AWS EC2 stuff [GH-107], [GH-109]

BUG FIXES

• Better handling of various error states [GH-79], [GH-125]

Thanks to @ianwestcott, @s3u, @mracter, @intgr, @jkdihenkar, @gaelL,
@henriquegemignani, @bfeeser, @nicr9, @mwielgoszewski, @mtougeron
for their contributions!

IMPROVEMENTS:

• Add token role support [GH-94]
• Add support for Python 2.6 [GH-92]
• Allow setting the explicit_max_ttl when creating a token [GH-81]
• Add support for write response wrapping [GH-85]

BUG FIXES:

• Fix app role endpoints for newer versions of Vault [GH-93]

Thanks to @otakup0pe, @nicr9, @marcoslopes, @caiotomazelli,
and @blarghmatey for their contributions!

IMPROVEMENTS:

• Add EC2 auth support [GH-61]
• Add support for token accessors [GH-69]
• Add support for response wrapping [GH-70]
• Add AppRole auth support [GH-77]

BUG FIXES:

• Fix no_default_policy parameter in create_token [GH-65]
• Fix EC2 auth double JSON parsing [GH-76]