Metadata-Version: 2.4
Name: hashicorp_vault_django
Version: 0.0.8
Summary: A Django app to manage the application secrets using hashicorp.
Home-page: https://github.com/icedreamer-praveen/hashicorp-vault
Author: icedreamer-praveen
Author-email: prabinchy1234@gmail.com
License: MIT License
Keywords: vault,vault-django,hashicorp,hashicorp-vault-django,hashicorp_vault_django,hashicorp-vault,vault-secrets,vault-django,secrets-management,hashicorp-vault-integration,vault-configuration,vault-authentication,vault-python-client,vault-credentials,django-secrets,django-vault,django-config,django-auth,django-app,django-integration,django-security,django-secrets-management,django-settings,django-configuration,python-secrets,python-vault,python-authentication,python-security,python-secrets-management,python-configuration,python-integration,python-django,python-configuration-management,python-client,security,authentication,authorization,token-management,secure-secrets,password-management,token-authentication,access-management,infrastructure-secrets,gcp-secrets,django-library,django-tool,django-package,secrets-infrastructure,secrets-django-app,vault-kv-engine,vault-auth-backends,vault-python,vault-policy,vault-secrets-backend,vault-ssl,vault-token-authentication,vault-api
Classifier: Environment :: Web Environment
Classifier: Framework :: Django
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: MIT License
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python
Classifier: Programming Language :: Python :: 3.10
Classifier: Topic :: Internet :: WWW/HTTP
Classifier: Topic :: Internet :: WWW/HTTP :: Dynamic Content
Requires-Python: >=3.10
Description-Content-Type: text/markdown
Requires-Dist: django>=3.2
Requires-Dist: hvac>=0.11.2
Provides-Extra: dev
Requires-Dist: twine>=4.0.2; extra == "dev"
Dynamic: author
Dynamic: author-email
Dynamic: classifier
Dynamic: description
Dynamic: description-content-type
Dynamic: home-page
Dynamic: keywords
Dynamic: license
Dynamic: provides-extra
Dynamic: requires-dist
Dynamic: requires-python
Dynamic: summary

Hashicorp-vault-python
=========================

Hashicorp vault is a Python-Django app for the improvement application security leveraging secrets

Installation
------------

    * pip install hashicorp-vault-django
    * Add ``hashicorp_vault`` to your ``INSTALLED_APPS``

::

Setup in settings
-----------------

    * make config directory at project root level and create application.yml file inside config directory 
    * application.yml sample for vault configuration
        * vault:
              host: vault url  # https
              secret_engine: mount path  # secrests-config
              application: application path # secrets-ai
              username: username
              password: password
    * if your secrets stored in `/vault/secrets/secrets-config/kv/secrets-ai/` then use secrets-config as secret_engine and secrets-ai as application in vault configuration
    * consume vault secrets in your settings.py file 
          from hashicorp_vault.vault import get_vault_secrets

          vault_secrets = get_vault_secrets(BASE_DIR)

          DATABASES = {
            "default": {
                "ENGINE": config["datasource"]["DATABASE_ENGINE"],
                "NAME": vault_secrets.get("db_database"),
                "USER": vault_secrets.get("db_user"),
                "PASSWORD": vault_secrets.get("db_password"),
                "HOST": vault_secrets.get("host"),
                "PORT": vault_secrets.get("db_port"),
                "OPTIONS": {"charset": "utf8mb4"},
            },
        }
    * Use secret keys to access to secret values from vault
::


Vault Authentication Methods
----------------------------
This package supports multiple authentication methods for HashiCorp Vault. Configure your prefered method via the **application.yml** file.
The **vault.authentication** key determines which method will be used.

Supported authentication methods include:
    * userpass
    * token
    * approle
    * jwt
    * ldap
    * github
    * gcp
    * azure
    * aws_iam
    * aws_ec2

Below are the configuration examples for each.

# General Structure (Default authentication method is userpass)
     vault:
         host: vault url  # https or http
         secret_engine: mount path 
         application: application path
         username: username
         password: password
   
    1. userpass
        Authenticates with Vault using the username and password method.

        vault:
             authentication: userpass (Optional)
             host: url
             secret_engine: mount_path
             application: application_path
             username: username
             password: password

    2. token
        Use a pre-generated token to authenticate with Vault.

        vault:
             authentication: token
             host: url
             secret_engine: mount_path
             application: application_path
             token: 00000000-0000-0000-0000-000000000000 

    3. approle
        Use Vault AppRole authentication with role_id and secret_id.

        vault:
             authentication: approle
             host: url
             secret_engine: mount_path
             application: application_path
             app_role:
                role_id: bde2076b-cccb-3cf0-d57e-bca7b1e83a52
                secret_id: 1696536f-1976-73b1-b241-0b4213908d39

    4. jwt
        Authenticate using JWT/OIDC. Commonly used with external identity providers.

        vault:
             authentication: jwt
             host: url
             secret_engine: mount_path
             application: application_path
             jwt:
                role: your-jwt-role
                jwt: your-signed-jwt-token

    5. github
        Authenticate using a GitHub personal access token mapped to a Vault policy.
        
        vault:
             authentication: github
             host: url
             secret_engine: mount_path
             application: application_path
             token: your-github-personal-access-token


    6. gcp
        Authenticate Vault using Google Cloud IAM and JWT identity.
        
        vault:
             authentication: gcp
             host: url
             secret_engine: mount_path
             application: application_path
             gcp:
                role: your-gcp-role
                jwt: your-signed-jwt-from-gcp-service-account

    
    7. ldap
        Authenticate using your LDAP (e.g., Active Directory) credentials.

        vault:
             authentication: ldap
             host: url
             secret_engine: mount_path
             application: application_path
             ldap:
                username: your-ldap-username
                password: your-ldap-password


    8. azure
        Authenticate using Azure VM or VMSS instance identity.

        vault:
             authentication: azure
             host: url
             secret_engine: mount_path
             application: application_path
             azure:
                role: your-azure-role
                jwt: your-signed-jwt-token
                subscription_id: your-subscription-id (Optional)
                resource_group_name: your-resource-group (Optional)
                vm_name: your-vm-name (Optional)
                vmss_name: your-vmss-name (Optional)


    9. aws_iam
        Authenticate via AWS IAM using signed headers and Vault IAM role

        vault:
             authentication: aws_iam
             host: url
             secret_engine: mount_path
             application: application_path
             aws_iam:
                access_key: your-aws-access-key
                secret_key: your-aws-secret-key
                session_token: optional-session-token (Optional)
                header_value: optional-canonical-request-header (Optional)
                role: your-vault-role (Optional)


    10. aws_ec2
        Authenticate via AWS EC2 metadata service using instance identity document

        vault:
             authentication: aws_ec2
             host: url
             secret_engine: mount_path
             application: application_path
             aws_ec2:
                pkcs7: your-pkcs7-signed-identity-document
                nonce: optional-nonce (Optional)
                role: your-vault-ec2-role (Optional)
        
::

Compatibility
-------------
{py3.8, py3.10}-django{4.* above}
