awx_plugins.credentials.hashivault module¶

awx_plugins.credentials.hashivault._AUTH_TOKEN: ContextVar[str] = <ContextVar name='_AUTH_TOKEN'>¶: Authentication token for use in plugin handlers.

class awx_plugins.credentials.hashivault._EmptyKwargs¶

Bases: TypedDict

Schema for zero keyword arguments.

awx_plugins.credentials.hashivault._inject_auth_token_with_revocation(decorated_function: Callable[[_PT], _RT], /) → Callable[[_PT], _RT]¶

Parameters:: decorated_function (Callable[[ParamSpec(_PT)], TypeVar(_RT)])
Return type:: Callable[[ParamSpec(_PT)], TypeVar(_RT)]

awx_plugins.credentials.hashivault._revoke_self_token(*, vault_token: str, url: str, namespace: str, cacert: str | None = None) → None¶

Revoke the passed-in Vault token.

Parameters:

vault_token (str)
url (str)
namespace (str)
cacert (str | None, default: None)

Return type:

None

awx_plugins.credentials.hashivault._token_in_context(token: str, /) → Iterator[None]¶

Set a token for the execution context lifetime.

Parameters:: token (str)
Return type:: Iterator[None]

awx_plugins.credentials.hashivault._vault_token(**kwargs: str) → Iterator[str]¶

Context manager that yields a Vault token and revokes it on exit if obtained via workload identity.

Parameters:: kwargs (str)
Return type:: Iterator[str]

awx_plugins.credentials.hashivault.approle_auth(**kwargs)¶

awx_plugins.credentials.hashivault.client_cert_auth(**kwargs)¶

awx_plugins.credentials.hashivault.handle_auth(**kwargs)¶

awx_plugins.credentials.hashivault.kubernetes_auth(**kwargs)¶

awx_plugins.credentials.hashivault.kv_backend(*, url: str, api_version: str, secret_path: str, secret_key: str | None = None, secret_backend: str | None = None, secret_version: str | None = None, cacert: str | None = None, namespace: str | None = None, **_discarded_kwargs: Unpack[_EmptyKwargs]) → str¶

Parameters:

url (str)
api_version (str)
secret_path (str)
secret_key (str | None, default: None)
secret_backend (str | None, default: None)
secret_version (str | None, default: None)
cacert (str | None, default: None)
namespace (str | None, default: None)
_discarded_kwargs (Unpack[_EmptyKwargs])

Return type:

str

awx_plugins.credentials.hashivault.method_auth(**kwargs)¶

awx_plugins.credentials.hashivault.ssh_backend(*, url: str, secret_path: str, role: str, public_key: str, cacert: str | None = None, namespace: str | None = None, valid_principals: str | None = None, **_discarded_kwargs: Unpack[_EmptyKwargs]) → str¶

Parameters:

url (str)
secret_path (str)
role (str)
public_key (str)
cacert (str | None, default: None)
namespace (str | None, default: None)
valid_principals (str | None, default: None)
_discarded_kwargs (Unpack[_EmptyKwargs])

Return type:

str

awx_plugins.credentials.hashivault.userpass_auth(**kwargs)¶

awx_plugins.credentials.hashivault.workload_identity_auth(**kwargs)¶: JWT representing a workload. Issued by an OIDC entity trusted by Vault.