salt.runners.vault

Runner functions supporting the Vault modules. Configuration instructions are documented in the execution module docs.

maintainer:

SaltStack

maturity:

new

platform:

all

class salt.runners.vault.LazyPillar(opts, grains, minion_id, extra_minion_data=None)

Simulates a pillar dictionary. Only compiles the pillar once an item is requested.

salt.runners.vault.generate_token(minion_id, signature, impersonated_by_master=False, ttl=None, uses=None)

Generate a Vault token for minion minion_id

minion_id

The id of the minion that requests a token

signature

Cryptographic signature which validates that the request is indeed sent by the minion (or the master, see impersonated_by_master).

impersonated_by_master

If the master needs to create a token on behalf of the minion, this is True. This happens when the master generates minion pillars.

ttl

Ticket time to live in seconds, 1m minutes, or 2h hrs

uses

Number of times a token can be used

salt.runners.vault.show_policies(minion_id, refresh_pillar=<Constant.NOT_SET>, expire=None)

Show the Vault policies that are applied to tokens for the given minion.

minion_id

The minion's id.

refresh_pillar

Whether to refresh the pillar data when rendering templated policies. None will only refresh when the cached data is unavailable, boolean values force one behavior always. Defaults to config value policies_refresh_pillar or None.

expire

Policy computation can be heavy in case pillar data is used in templated policies and it has not been cached. Therefore, a short-lived cache specifically for rendered policies is used. This specifies the expiration timeout in seconds. Defaults to config value policies_cache_time or 60.

CLI Example:

salt-run vault.show_policies myminion
salt.runners.vault.unseal()

Unseal Vault server

This function uses the 'keys' from the 'vault' configuration to unseal vault server

vault:
keys:
  • n63/TbrQuL3xaIW7ZZpuXj/tIfnK1/MbVxO4vT3wYD2A

  • S9OwCvMRhErEA4NVVELYBs6w/Me6+urgUr24xGK44Uy3

  • F1j4b7JKq850NS6Kboiy5laJ0xY8dWJvB3fcwA+SraYl

  • 1cYtvjKJNDVam9c7HNqJUfINk4PYyAXIpjkpN/sIuzPv

  • 3pPK5X6vGtwLhNOFv1U2elahECz3HpRUfNXJFYLw6lid

CLI Examples:

salt-run vault.unseal