v1.3.0

2025-10-24 11:12:23 +00:00
parent e5a3f3a3e1
commit 5c46d86788
10 changed files with 261 additions and 56 deletions
--- a/keep_it_secret/ext/vault.py
+++ b/keep_it_secret/ext/vault.py
@@ -9,10 +9,9 @@ from keep_it_secret.fields import EnvField, Field
 from keep_it_secret.secrets import Secrets


-class VaultSecrets(Secrets):
+class BaseVaultSecrets(Secrets):
    """
-    Concrete :py:class:`keep_it_secret.Secrets` subclass that maps environment
-    variables to Vault credentials.
+    Base :py:class:`keep_it_secret.Secrets` subclass for Vault-base secrets.
    """

    url: str = EnvField.new('VAULT_URL', required=True)
@@ -22,13 +21,6 @@ class VaultSecrets(Secrets):
    :type: ``str``
    """

-    token: str = EnvField.new('VAULT_TOKEN', required=True)
-    """
-    Maps ``VAULT_TOKEN`` environment variable.
-
-    :type: ``str``
-    """
-
    client_cert_path: str | None = EnvField.new('VAULT_CLIENT_CERT_PATH', required=False)
    """
    Maps ``VAULT_CLIENT_CERT_PATH`` environment variable.
@@ -62,7 +54,6 @@ class VaultSecrets(Secrets):
        """
        result: dict[str, typing.Any] = {
            'url': self.url,
-            'token': self.token,
        }

        if self.client_cert_path is not None and self.client_key_path is not None:
@@ -85,6 +76,58 @@ class VaultSecrets(Secrets):
        return self.client


+class VaultSecrets(BaseVaultSecrets):
+    """
+    Concrete :py:class:`BaseVaultSecrets` subclass that uses token to
+    authenticate with Vault.
+    """
+
+    token: str = EnvField.new('VAULT_TOKEN', required=True)
+    """
+    Maps ``VAULT_TOKEN`` environment variable.
+
+    :type: ``str``
+    """
+
+    def as_hvac_client_kwargs(self) -> dict[str, typing.Any]:
+        result = super().as_hvac_client_kwargs()
+        result['token'] = self.token
+
+        return result
+
+
+class AppRoleVaultSecrets(BaseVaultSecrets):
+    """
+    Concrete :py:class:`BaseVaultSecrets` subclass that uses app role to
+    authenticate with Vault.
+    """
+
+    role_id: str = EnvField.new('VAULT_ROLE_ID', required=True)
+    """
+    Maps ``VAULT_ROLE_ID`` environment variable.
+
+    :type: ``str``
+    """
+
+    secret_id: str = EnvField.new('VAULT_SECRET_ID', required=True)
+    """
+    Maps ``VAULT_SECRET_ID`` environment variable.
+
+    :type: ``str``
+    """
+
+    def get_client(self) -> hvac.Client:
+        if self.client is None:
+            super().get_client()
+
+            self.client.auth.approle.login(  # type: ignore[attr-defined]
+                role_id=self.role_id,
+                secret_id=self.secret_id,
+            )
+
+        return self.client
+
+
 class VaultKV2Field(Field):
    """
    Concrete :py:class:`keep_it_secret.Field` subclass that uses Hashicorp