- Add Active Directory Secrets Engine Support. GH-508
- Include Recently Added Namespace Documentation In Toctree. GH-509
Thanks to @jeffwecan and @vamshideveloper for their lovely contributions.
- Add delete_namespace Method and Establish Namespace Documentation. GH-500
- Fix consul configure_access/create_or_update_role Method Return Values. GH-502
- Fix Database generate_credentials Docstring Params. GH-498
- Add config for updatedocs app. GH-495
- Add a Codeowners file for automatic reviewer assignments. GH-494
Thanks to @Tylerlhess, @drewmullen and @jeffwecan for their lovely contributions.
- Add Create and List Namespace System Backend Methods. GH-489
- Expanded Support for AWS Auth Method. GH-482
- Capabilities System Backend Support. GH-476
- GCP Auth Test Case Updates For Changes in Vault v1.1.1+. GH-487
- Change AWS
generate_credentials
request method to GET. GH-475
- Numerous Fixes and Doctest Support for Transit Secrets Engine. GH-486
- Start Using Enterprise (Trial) Version of Vault For Travis CI Builds. GH-478
- Update Travis CI Test Matrix With Latest Vault Version & Drop Python 3.6. GH-488
- Set up release-drafter / mostly automated releases. GH-485
Thanks to @donjar, @fhemberger, @jeffwecan, @stevefranks and @stevenmanton for their lovely contributions.
BUG FIXES:
- Fix kubernetes auth method list roles method. GH-466
- Enable consul secrets engine. GH-460
- Enable database secrets engine. GH-455
- Many fixes for the database secrets engine. GH-457
IMPROVEMENTS:
- The
enable_auth_method()
,tune_auth_method()
,enable_secrets_engine()
,tune_mount_configuration()
system backend method now take arbitrary**kwargs
parameters to provide greater support for variations in accepted parameters in the underlying Vault plugins. - Azure auth params, add
num_uses
, changebound_location
->bound_locations
andbound_resource_group_names
->bound_resource_groups
. GH-452
MISCELLANEOUS:
- The hvac project now has gitter chat enabled. Feel free to check it out for any online discussions related to this module at: gitter.im/hvac/community)! GH-465
- Added Vault agent socket listener usage example under the "advanced usage" documentation section at: hvac.readthedocs.io GH-468
Thanks to @denisvll, @Dudesons, and @drewmullen for their lovely contributions.
BUG FIXES:
- Fix Azure list roles GH-448
IMPROVEMENTS:
- Support for the PKI secrets engine. GH-436
MISCELLANEOUS:
delete_roleset()
method added to GCP secrets engine support. GH-449
Thanks to @nledez and @drewmullen for their lovely contributions.
BUG FIXES:
- Update path to azure.login() GH-429
- AWS secrets engine generate credentials updated to a post request. GH-430
IMPROVEMENTS:
- Support for the Radius auth method. GH-420
- Support for the Database secrets engine. GH-431
- Add the consul secret engine support GH-432
- Support for the GCP secrets engine. GH-443
MISCELLANEOUS:
Thanks to @paulcaskey, @stevenmanton, @brad-alexander, @yoyomeng2, @JadeHayes, @Dudesons for their lovely contributions.
BUG FIXES:
- Fix priority of client url and VAULT_ADDR environment variable. GH-423
- Update setup.py to only compile hvac package. GH-418
Thanks to @eltoder and @andytumelty for their lovely contributions.
BUG FIXES:
- Fix
initialize()
methodrecovery_shares
andrecovery_threshold
parameter validation regression. GH-416
BACKWARDS COMPATIBILITY NOTICE:
- The
Client()
class constructor now behaves similarly to Vault CLI in that it uses theVAULT_ADDR
environmental variable for the Client URL when that variable is set. Along the same lines, when no token is passed into theClient()
constructor, it will attempt to load a token from theVAULT_TOKEN
environmental variable or the~/.vault-token
file where available. GH-411
IMPROVEMENTS:
- Support for the Kubernetes auth method. GH-408
BUG FIXES:
- Fix for comparision
recovery_threshold
andrecovery_shares
during initialization. GH-398 - Fix request method for AWS secrets engine
generate_credentials()
method. GH-403 - Fix request parameter (
n_bytes
->bytes
) for Transit secrets enginegenerate_random_bytes()
method. GH-377
Thanks to @engstrom, @viralpoetry, @bootswithdefer, @steved, @kserrano, @spbsoluble, @uepoch, @singuliere, @frgaudet, @jsporna, & @mrsiesta for their lovely contributions.
IMPROVEMENTS:
- Support for the AWS secrets engine. GH-370
BUG FIXES:
MISCELLANEOUS:
- Travis CI builds now run against Python 3.7 (along side the previously tested 2.7 and 3.6 versions). GH-360
- Documentation build test case added. GH-366
- Module version now managed by the
bumpversion
utility exclusively. GH-369
IMPROVEMENTS:
- Support for the Okta auth method. GH-341
BUG FIXES:
- Simplify redirect handling in
Adapter
class to fix issues following location headers with fully qualified URLs. Note: hvac now converts//
to/
within any paths. GH-348 - Fixed a bug where entity and group member IDs were not being passed in to Identity secrets engine group creation / updates. GH-346
- Ensure all types of responses for the
read_health_status()
system backend method can be retrieved without exceptions being raised. GH-347 - Fix
read_seal_status()
inClient
class'sseal_status
property. GH-354
DOCUMENTATION UPDATES:
- Example GCP auth method
login()
call with google-api-python-client usage added: Example with google-api-python-client Usage. GH-350
MISCELLANEOUS:
- Note: Starting after release 0.7.0,
develop
is the main integration branch for the hvac project. Themaster
branch is now intended to capture the state of the most recent release. - Test cases for hvac are no longer included in the release artifacts published to PyPi. GH-334
- The
create_or_update_policy
system backend method now supports a "pretty_print" argument for different JSON formatting. This allows create more viewable policy documents when retrieve existing policies (e.g., from within the Vault UI interface). GH-342 - Explicit support for Vault v0.8.3 dropped. CI/CD tests updated to run against Vault v1.0.0. GH-344
DEPRECATION NOTICES:
- All auth method classes are now accessible under the
auth
property on thehvac.Client
class. GH-310. (E.g. thegithub
,ldap
, andmfa
Client properties' methods are now accessible underClient.auth.github
, etc.) - All secrets engines classes are now accessible under the
secrets
property on thehvac.Client
class. GH-311 (E.g. thekv
, Client property's methods are now accessible underClient.secrets.kv
) - All system backend classes are now accessible under the
sys
property on thehvac.Client
class. GH-314 ([GH-314] through [GH-325]) (E.g. methods such asenable_secret_backend()
under the Client class are now accessible underClient.sys.enable_secrets_engine()
, etc.)
IMPROVEMENTS:
- Support for Vault Namespaces. GH-268
- Support for the Identity secrets engine. GH-269
- Support for the GCP auth method. GH-240
- Support for the Azure auth method. GH-286
- Support for the Azure secrets engine. GH-287
- Expanded Transit secrets engine support. GH-303
Thanks to @tiny-dancer, @jacquat, @deejay1, @MJ111, @jasonarewhy, and @alexandernst for their lovely contributions.
IMPROVEMENTS:
- New KV secret engine-related classes added. See the KV documentation under hvac's readthedocs.io site for usage / examples. GH-257 / GH-260
MISCELLANEOUS:
- Language classifiers are now being included with the distribution. GH-247
- Token no longer being sent in URL path for the
Client.renew_token
method. GH-250 - Support for the response structure in newer versions of Vault within the
Client.get_policy
method. GH-254 config
andplugin_name
parameters added to theClient.enable_auth_backend
method. GH-253
Thanks to @ijl, @rastut, @seuf, @downeast for their lovely contributions.
DEPRECATION NOTICES:
- The
auth_github()
method within thehvac.Client
class has been marked as deprecated and will be removed in hvac v0.8.0 (or later). Please update any callers of this method to use thehvac.Client.github.login()
instead. - The
auth_ldap()
method within thehvac.Client
class has been marked as deprecated and will be removed in hvac v0.8.0 (or later). Please update any callers of this method to use thehvac.Client.ldap.login()
instead.
IMPROVEMENTS:
- New Github auth method class added. See the Github documentation for usage / examples. GH-242
- New Ldap auth method class added. See the Ldap documentation for usage / examples. GH-244
- New Mfa auth method class added. See the documentation for usage / examples. GH-255
auth_aws_iam()
method updated to include "region" parameter for deployments in different AWS regions. GH-243
DOCUMENTATION UPDATES:
- Additional guidance for how to configure hvac's
Client
class to leverage self-signed certificates / private CA bundles has been added at: Making Use of Private CA. GH-230 - Docstring for
verify
Client
parameter corrected and expanded. GH-238
MISCELLANEOUS:
- Automated PyPi deploys via travis-ci removed. GH-226
- Repository transferred to the new "hvac" GitHub organization; thanks @ianunruh! GH-227
- Codecov (automatic code coverage reports) added. GH-229 / GH-228
- Tests subdirectory reorganized; now broken up by integration versus unit tests with subdirectories matching the module path for the code under test. GH-236
Thanks to @otakup0pe, @FabianFrank, @andrewheald for their lovely contributions.
BACKWARDS COMPATIBILITY NOTICE:
- With the newly added
hvac.adapters.Request
class, request kwargs can no longer be directly modified via the_kwargs
attribute on theClient
class. If runtime modifications to this dictionary are required, callers either need to explicitly pass in a newadapter
instance with the desired settings via theadapter
propery on theClient
class or access the_kwargs
property via theadapter
property on theClient
class.
See the Advanced Usage section of this module's documentation for additional details.
IMPROVEMENTS:
- sphinx documentation and readthedocs.io project added. GH-222
- README.md included in setuptools metadata. GH-222
- All
tune_secret_backend()
parameters now accepted. GH-215 - Add
read_lease()
method GH-218 - Added adapter module with
Request
class to abstract HTTP requests away from theClient
class. GH-223
Thanks to @bbayszczak, @jvanbrunschot-coolblue for their lovely contributions.
IMPROVEMENTS:
- Update
unwrap()
method to match current Vault versions [GH-149] - Initial support for Kubernetes authentication backend [GH-210]
- Initial support for Google Cloud Platform (GCP) authentication backend [GH-206]
- Update enable_secret_backend function to support kv version 2 [GH-201]
BUG FIXES:
- Change URL parsing to allow for routes in the base Vault address (e.g.,
https://example.com/vault
) [GH-212].
Thanks to @mracter, @cdsf, @SiN, @seanmalloy, for their lovely contributions.
BACKWARDS COMPATIBILITY NOTICE:
- Token revocation now sends the token in the request payload. Requires Vault >0.6.5
- Various methods have new and/or re-ordered keyword arguments. Code calling these methods with positional arguments may need to be modified.
IMPROVEMENTS:
- Ensure mount_point Parameter for All AWS EC2 Methods [GH-195]
- Add Methods for Auth Backend Tuning [GH-193]
- Customizable approle path / mount_point [GH-190]
- Add more methods for the userpass backend [GH-175]
- Add transit signature_algorithm parameter [GH-174]
- Add auth_iam_aws() method [GH-170]
- lookup_token function POST token not GET [GH-164]
- Create_role_secret_id with wrap_ttl & fix get_role_secret_id_accessor [GH-159]
- Fixed json() from dict bug and added additional arguments on auth_ec2() method [GH-157]
- Support specifying period when creating EC2 roles [GH-140]
- Added support for /sys/generate-root endpoint [GH-131] / [GH-199]
- Added "auth_cubbyhole" method [GH-119]
- Send token/accessor as a payload to avoid being logged [GH-117]
- Add AppRole delete_role method [GH-112]
BUG FIXES:
- Always Specify auth_type In create_ec2_role [GH-197]
- Fix "double parasing" of JSON response in auth_ec2 method [GH-181]
Thanks to @freimer, @ramiamar, @marcoslopes, @ianwestcott, @marc-sensenich, @sunghyun-lee, @jnaulty, @sijis, @Myles-Steinhauser-Bose, @oxmane, @ltm, @bchannak, @tkinz27, @crmulliner, for their lovely contributions.
IMPROVEMENTS:
- Added
disallowed_policies
parameter tocreate_token_role
method [GH-169]
Thanks to @morganda for their lovely contribution.
IMPROVEMENTS:
- Add support for the
period
parameter on token creation [GH-167] - Add support for the
cidr_list
parameter for approle secrets [GH-114]
BUG FIXES:
- Documentation is now more accurate [GH-165] / [GH-154]
Thanks to @ti-mo, @dhoeric, @RAbraham, @lhdumittan, @ahsanali for their lovely contributions.
This is just the highlights, there have been a bunch of changes!
IMPROVEVEMENTS:
- Some AppRole support [GH-77]
- Response Wrapping [GH-85]
- AWS EC2 stuff [GH-107], [GH-109]
BUG FIXES
- Better handling of various error states [GH-79], [GH-125]
Thanks to @ianwestcott, @s3u, @mracter, @intgr, @jkdihenkar, @gaelL, @henriquegemignani, @bfeeser, @nicr9, @mwielgoszewski, @mtougeron for their contributions!
IMPROVEMENTS:
- Add token role support [GH-94]
- Add support for Python 2.6 [GH-92]
- Allow setting the explicit_max_ttl when creating a token [GH-81]
- Add support for write response wrapping [GH-85]
BUG FIXES:
- Fix app role endpoints for newer versions of Vault [GH-93]
Thanks to @otakup0pe, @nicr9, @marcoslopes, @caiotomazelli, and @blarghmatey for their contributions!
IMPROVEMENTS:
- Add EC2 auth support [GH-61]
- Add support for token accessors [GH-69]
- Add support for response wrapping [GH-70]
- Add AppRole auth support [GH-77]
BUG FIXES:
- Fix
no_default_policy
parameter increate_token
[GH-65] - Fix EC2 auth double JSON parsing [GH-76]
Thanks to @blarghmatey, @stevenmanton, and @ahlinc for their contributions!
IMPROVEMENTS:
- Add methods for manipulating app/user IDs [GH-62]
- Add ability to automatically parse policies with pyhcl [GH-58]
- Add TTL option to
create_userpass
[GH-60] - Add support for backing up keys on rekey [GH-57]
- Handle non-JSON error responses correctly [GH-46]
BUG FIXES:
is_authenticated
now handles new error type for Vault 0.6.0
BUG FIXES:
- Fix improper URL being used when leader redirection occurs [GH-56]
IMPROVEMENTS:
- Add support for Requests sessions [GH-53]
BUG FIXES:
- Properly handle redirects from Vault server [GH-51]
IMPROVEMENTS:
- Add support for
increment
in renewel of secret [GH-48]
BUG FIXES:
- Use unicode literals when constructing URLs [GH-50]
IMPROVEMENTS:
- Add support for list operation [GH-47]
IMPROVEMENTS:
- Add support for nonce during rekey operation [GH-42]
- Add get method for policies [GH-43]
- Add delete method for userpass auth backend [GH-45]
- Add support for response to rekey init
IMPROVEMENTS:
- Convenience methods for managing userpass and app-id entries
- Support for new API changes in Vault v0.4.0
IMPROVEMENTS:
- Add support for PGP keys when rekeying [GH-28]
BUG FIXES:
- Fixed token metadata parameter [GH-27]
IMPROVEMENTS:
- Add support for
revoke-self
- Restrict
requests
dependency to modern version
IMPROVEMENTS:
-
Add support for API changes/additions in Vault v0.3.0
- Tunable config on secret backends
- MFA on username/password and LDAP auth backends
- PGP encryption for unseal keys
BUG FIXES:
- Fix write response handling [GH-19]
BUG FIXES
- Fix error handling for next Vault release
IMPROVEMENTS:
- Add support for rekey/rotate APIs
BUG FIXES:
- Restrict
requests
dependency to 2.5.0 or later
IMPROVEMENTS:
- Return latest seal status from
unseal_multi
BUG FIXES:
- Use arguments passed to
initialize
method
BACKWARDS COMPATIBILITY NOTICE:
- Requires Vault 0.1.2 or later for
X-Vault-Token
header auth_token
method removed in favor oftoken
propertyread
method no longer raiseshvac.exceptions.InvalidPath
on nonexistent paths
IMPROVEMENTS:
- Tolerate falsey URL in client constructor
- Add ability to auth without changing to new token
- Add
is_authenticated
convenience method - Return
None
when reading nonexistent path
IMPROVEMENTS:
- Add
is_sealed
convenience method - Add
unseal_multi
convenience method
BUG FIXES:
- Remove secret_shares argument from
unseal
method
- Initial release