A client library for working with Vault through its REST api.
- Generation of clear or encrypted unseal keys
- Generation of root token
- Generation of clear or encrypted recovery keys
- Configuring transit keys and transit unseal
- Create, update, and list policies
- Attach policies to userpass users
- Getting status
- Create user and get details
- Update passwords
- List users
- Login (validate password and get Vault token)
- Delete
See the warning on REST api:
Backwards compatibility: At the current version, Vault does not yet promise backwards compatibility even with the v1
prefix. We'll remove this warning when this policy changes. At this point in time the core API
(that is, sys/ routes) change very infrequently, but various secrets engines/auth methods/etc. sometimes have minor
changes to accommodate new features as they're developed.
The above warning means this library could potentially break with newer versions of Vault.
The library is experimental, and tested with Vault 1.11 through 1.13.
To demo using PGP (GPG) to encrypt the unseal keys and root tokens generated by Vault, you can create several fake users, each with their own key pair.
$ gpg --quick-generate-key [email protected]
$ gpg --quick-generate-key [email protected]
$ gpg --quick-generate-key [email protected]
$ gpg --quick-generate-key [email protected]
Listing key pairs having private keys:
$ gpg -K
Export the public keys of each key pair:
$ gpg --output operator1.pgp --export [email protected]
$ gpg --output operator2.pgp --export [email protected]
$ gpg --output operator3.pgp --export [email protected]
$ gpg --output root-user.pgp --export [email protected]
Note: DO NOT use the "--armor" flag - Vault requires binary public keys.
All library features are available on Linux.
All library features are available on Macs, but because of limitations of Docker networking on Macs, all automated tests that require a live Vault server are disabled.
All library features are available on Windows, but because Hashicorp does not offer a Windows build of the Vault server, all automated tests that require a live Vault server are disabled.