- All Superinterfaces:
AutoCloseable
,Serializable
- All Known Implementing Classes:
HTTPVaultConnector
Vault Connector interface.
Provides methods to connect with Vault backend and handle secrets.
- Since:
- 0.1
- Author:
- Stefan Kalscheuer
-
Method Summary
Modifier and TypeMethodDescriptiondefault AuthResponse
authAppRole
(String roleID) Authorize to Vault using AppRole method without secret ID.authAppRole
(String roleID, String secretID) Authorize to Vault using AppRole method.Authorize to Vault using token.authUserPass
(String username, String password) Authorize to Vault using username and password.boolean
createAppRole
(AppRole role) Register a new AppRole role from given metamodel.default boolean
createAppRole
(String roleName) Register new AppRole role with default policy.default boolean
createAppRole
(String roleName, String roleID) Register new AppRole role with default policy and custom ID.default boolean
createAppRole
(String roleName, List<String> policies) Register new AppRole role with policies.default boolean
createAppRole
(String roleName, List<String> policies, String roleID) Register new AppRole role with policies and custom ID.default AppRoleSecretResponse
createAppRoleSecret
(String roleName) Register new random generated AppRole secret.createAppRoleSecret
(String roleName, AppRoleSecret secret) Register new AppRole secret with custom ID.default AppRoleSecretResponse
createAppRoleSecret
(String roleName, String secretID) Register new AppRole secret with custom ID.default boolean
Create a new or update an existing token role.boolean
createOrUpdateTokenRole
(String name, TokenRole role) Create a new or update an existing token role.createToken
(Token token) Create a new token.createToken
(Token token, boolean orphan) Create a new token.createToken
(Token token, String role) Create a new token for specific role.void
Delete key from Vault.void
deleteAllSecretVersions
(String mount, String key) Delete latest version of a secret from Vault.boolean
deleteAppRole
(String roleName) Delete AppRole role from Vault.void
deleteLatestSecretVersion
(String mount, String key) Delete latest version of a secret from Vault.void
deleteSecretVersions
(String mount, String key, int... versions) Delete secret versions from Vault.boolean
deleteTokenRole
(String name) Delete a token role.boolean
destroyAppRoleSecret
(String roleName, String secretID) Destroy an AppRole secret.void
destroySecretVersions
(String mount, String key, int... versions) Destroy secret versions from Vault.getAppRoleID
(String roleName) Retrieve ID for an AppRole role.Get all available authentication backends.Query server health information.boolean
Get authorization status.List available nodes from Vault.List existing (accessible) AppRole roles.listAppRoleSecrets
(String roleName) List existing (accessible) secret IDs for AppRole role.List available token roles from Vault.lookupAppRole
(String roleName) Lookup an AppRole role.lookupAppRoleSecret
(String roleName, String secretID) Lookup an AppRole secret.lookupToken
(String token) Lookup token information.Retrieve any nodes content from Vault.default CredentialsResponse
readDbCredentials
(String role, String mount) Read credentials for SQL backends.default CredentialsResponse
readMongoDbCredentials
(String role) Read credentials for MSSQL backend at default mount point.default CredentialsResponse
readMsSqlCredentials
(String role) Read credentials for MSSQL backend at default mount point.default CredentialsResponse
readMySqlCredentials
(String role) Read credentials for MySQL backend at default mount point.default CredentialsResponse
Read credentials for PostgreSQL backend at default mount point.default SecretResponse
readSecretData
(String mount, String key) Retrieve the latest secret data for specific version from Vault.readSecretMetadata
(String mount, String key) Retrieve secret metadata from Vault.readSecretVersion
(String mount, String key, Integer version) Retrieve secret data from Vault.readTokenRole
(String name) Lookup token information.default SecretResponse
Renew lease with given ID.Renew lease with given ID.void
Reset authorization information.void
Revoke given lease immediately.void
seal()
Seal vault.Retrieve status of vault seal.boolean
setAppRoleID
(String roleName, String roleID) Set custom ID for an AppRole role.void
undeleteSecretVersions
(String mount, String key, int... versions) Undelete (restore) secret versions from Vault.default SealResponse
Unseal vault.Unseal vault.void
updateSecretMetadata
(String mount, String key, Integer maxVersions, boolean casRequired) Update secret metadata.default void
Write simple value to Vault.default void
Write value to Vault.void
Write value to Vault.default SecretVersionResponse
Write secret to Vault.Write secret to Vault.Methods inherited from interface java.lang.AutoCloseable
close
-
Method Details
-
resetAuth
void resetAuth()Reset authorization information. -
sealStatus
Retrieve status of vault seal.- Returns:
- Seal status
- Throws:
VaultConnectorException
- on error
-
seal
Seal vault.- Throws:
VaultConnectorException
- on error
-
unseal
Unseal vault.- Parameters:
key
- A single master share keyreset
- Discard previously provided keys (optional)- Returns:
- Response with seal status
- Throws:
VaultConnectorException
- on error
-
unseal
Unseal vault.- Parameters:
key
- A single master share key- Returns:
- Response with seal status
- Throws:
VaultConnectorException
- on error
-
getHealth
Query server health information.- Returns:
- Health information.
- Throws:
VaultConnectorException
- on error- Since:
- 0.7.0
-
getAuthBackends
Get all available authentication backends.- Returns:
- List of backends
- Throws:
VaultConnectorException
- on error
-
authToken
Authorize to Vault using token.- Parameters:
token
- The token- Returns:
- Token response
- Throws:
VaultConnectorException
- on error
-
authUserPass
Authorize to Vault using username and password.- Parameters:
username
- The usernamepassword
- The password- Returns:
- Authorization result
- Throws:
VaultConnectorException
- on error
-
authAppRole
Authorize to Vault using AppRole method without secret ID.- Parameters:
roleID
- The role ID- Returns:
- The
AuthResponse
- Throws:
VaultConnectorException
- on error- Since:
- 0.4.0
-
authAppRole
Authorize to Vault using AppRole method.- Parameters:
roleID
- The role IDsecretID
- The secret ID- Returns:
- The
AuthResponse
- Throws:
VaultConnectorException
- on error- Since:
- 0.4.0
-
createAppRole
Register a new AppRole role from given metamodel.- Parameters:
role
- The role- Returns:
true
on success- Throws:
VaultConnectorException
- on error- Since:
- 0.4.0
-
createAppRole
Register new AppRole role with default policy.- Parameters:
roleName
- The role name- Returns:
true
on success- Throws:
VaultConnectorException
- on error- Since:
- 0.4.0
-
createAppRole
default boolean createAppRole(String roleName, List<String> policies) throws VaultConnectorException Register new AppRole role with policies.- Parameters:
roleName
- The role namepolicies
- The policies to associate with- Returns:
true
on success- Throws:
VaultConnectorException
- on error- Since:
- 0.4.0
-
createAppRole
Register new AppRole role with default policy and custom ID.- Parameters:
roleName
- The role nameroleID
- A custom role ID- Returns:
true
on success- Throws:
VaultConnectorException
- on error- Since:
- 0.4.0
-
createAppRole
default boolean createAppRole(String roleName, List<String> policies, String roleID) throws VaultConnectorException Register new AppRole role with policies and custom ID.- Parameters:
roleName
- The role namepolicies
- The policies to associate withroleID
- A custom role ID- Returns:
true
on success- Throws:
VaultConnectorException
- on error- Since:
- 0.4.0
-
deleteAppRole
Delete AppRole role from Vault.- Parameters:
roleName
- The role name- Returns:
true
on success- Throws:
VaultConnectorException
- on error
-
lookupAppRole
Lookup an AppRole role.- Parameters:
roleName
- The role name- Returns:
- Result of the lookup
- Throws:
VaultConnectorException
- on error- Since:
- 0.4.0
-
getAppRoleID
Retrieve ID for an AppRole role.- Parameters:
roleName
- The role name- Returns:
- The role ID
- Throws:
VaultConnectorException
- on error- Since:
- 0.4.0
-
setAppRoleID
Set custom ID for an AppRole role.- Parameters:
roleName
- The role nameroleID
- The role ID- Returns:
true
on success- Throws:
VaultConnectorException
- on error- Since:
- 0.4.0
-
createAppRoleSecret
Register new random generated AppRole secret.- Parameters:
roleName
- The role name- Returns:
- The secret ID
- Throws:
VaultConnectorException
- on error- Since:
- 0.4.0
-
createAppRoleSecret
default AppRoleSecretResponse createAppRoleSecret(String roleName, String secretID) throws VaultConnectorException Register new AppRole secret with custom ID.- Parameters:
roleName
- The role namesecretID
- A custom secret ID- Returns:
- The secret ID
- Throws:
VaultConnectorException
- on error- Since:
- 0.4.0
-
createAppRoleSecret
AppRoleSecretResponse createAppRoleSecret(String roleName, AppRoleSecret secret) throws VaultConnectorException Register new AppRole secret with custom ID.- Parameters:
roleName
- The role namesecret
- The secret meta object- Returns:
- The secret ID
- Throws:
VaultConnectorException
- on error- Since:
- 0.4.0
-
lookupAppRoleSecret
AppRoleSecretResponse lookupAppRoleSecret(String roleName, String secretID) throws VaultConnectorException Lookup an AppRole secret.- Parameters:
roleName
- The role namesecretID
- The secret ID- Returns:
- Result of the lookup
- Throws:
VaultConnectorException
- on error- Since:
- 0.4.0
-
destroyAppRoleSecret
Destroy an AppRole secret.- Parameters:
roleName
- The role namesecretID
- The secret meta object- Returns:
- The secret ID
- Throws:
VaultConnectorException
- on error- Since:
- 0.4.0
-
listAppRoles
List existing (accessible) AppRole roles.- Returns:
- List of roles
- Throws:
VaultConnectorException
- on error
-
listAppRoleSecrets
List existing (accessible) secret IDs for AppRole role.- Parameters:
roleName
- The role name- Returns:
- List of roles
- Throws:
VaultConnectorException
- on error
-
isAuthorized
boolean isAuthorized()Get authorization status.- Returns:
- TRUE, if successfully authorized
-
read
Retrieve any nodes content from Vault.- Parameters:
key
- Secret identifier- Returns:
- Secret response
- Throws:
VaultConnectorException
- on error- Since:
- 0.5.0
-
readSecretData
Retrieve the latest secret data for specific version from Vault.
Path<mount>/data/<key>
is read here. Only available for KV v2 secrets.- Parameters:
mount
- Secret store mount point (without leading or trailing slash).key
- Secret identifier- Returns:
- Secret response
- Throws:
VaultConnectorException
- on error- Since:
- 0.8
-
writeSecretData
default SecretVersionResponse writeSecretData(String mount, String key, Map<String, Object> data) throws VaultConnectorExceptionWrite secret to Vault.
Path<mount>/data/<key>
is written here. Only available for KV v2 secrets.- Parameters:
mount
- Secret store mount point (without leading or trailing slash).key
- Secret identifierdata
- Secret content. Value must be be JSON serializable.- Returns:
- Metadata for the created/updated secret.
- Throws:
VaultConnectorException
- on error- Since:
- 0.8
-
writeSecretData
SecretVersionResponse writeSecretData(String mount, String key, Map<String, Object> data, Integer cas) throws VaultConnectorExceptionWrite secret to Vault.
Path<mount>/data/<key>
is written here. Only available for KV v2 secrets.- Parameters:
mount
- Secret store mount point (without leading or trailing slash).key
- Secret identifierdata
- Secret content. Value must be be JSON serializable.cas
- Use Check-And-Set operation, i.e. only allow writing if current version matches this value.- Returns:
- Metadata for the created/updated secret.
- Throws:
VaultConnectorException
- on error- Since:
- 0.8
-
readSecretVersion
SecretResponse readSecretVersion(String mount, String key, Integer version) throws VaultConnectorException Retrieve secret data from Vault.
Path<mount>/data/<key>
is read here. Only available for KV v2 secrets.- Parameters:
mount
- Secret store mount point (without leading or trailing slash).key
- Secret identifierversion
- Version to read. Ifnull
or zero, the latest version will be returned.- Returns:
- Secret response.
- Throws:
VaultConnectorException
- on error- Since:
- 0.8
-
readSecretMetadata
Retrieve secret metadata from Vault.
Path<mount>/metadata/<key>
is read here. Only available for KV v2 secrets.- Parameters:
mount
- Secret store mount point (without leading or trailing slash).key
- Secret identifier- Returns:
- Metadata response
- Throws:
VaultConnectorException
- on error- Since:
- 0.8
-
updateSecretMetadata
void updateSecretMetadata(String mount, String key, Integer maxVersions, boolean casRequired) throws VaultConnectorException Update secret metadata.
Path<mount>/metadata/<key>
is written here. Only available for KV v2 secrets.- Parameters:
mount
- Secret store mount point (without leading or trailing slash).key
- Secret identifiermaxVersions
- Maximum number of versions (fallback to backend default ifnull
)casRequired
- Specify if Check-And-Set is required for this secret.- Throws:
VaultConnectorException
- on error- Since:
- 0.8
-
list
List available nodes from Vault.- Parameters:
path
- Root path to search- Returns:
- List of secret keys
- Throws:
VaultConnectorException
- on error- Since:
- 0.5.0
-
write
Write simple value to Vault.- Parameters:
key
- Secret pathvalue
- Secret value- Throws:
VaultConnectorException
- on error- Since:
- 0.5.0
-
write
Write value to Vault.- Parameters:
key
- Secret pathdata
- Secret content. Value must be be JSON serializable.- Throws:
VaultConnectorException
- on error- Since:
- 0.5.0
-
write
void write(String key, Map<String, Object> data, Map<String, throws VaultConnectorExceptionObject> options) Write value to Vault.- Parameters:
key
- Secret pathdata
- Secret content. Value must be be JSON serializable.options
- Secret options (optional).- Throws:
VaultConnectorException
- on error- Since:
- 0.8
options
parameter added
-
delete
Delete key from Vault.- Parameters:
key
- Secret path- Throws:
VaultConnectorException
- on error- Since:
- 0.5.0
-
deleteLatestSecretVersion
Delete latest version of a secret from Vault.
Only available for KV v2 stores.- Parameters:
mount
- Secret store mount point (without leading or trailing slash).key
- Secret path.- Throws:
VaultConnectorException
- on error- Since:
- 0.8
-
deleteAllSecretVersions
Delete latest version of a secret from Vault.
Prefixsecret/
is automatically added to path. Only available for KV v2 stores.- Parameters:
mount
- Secret store mount point (without leading or trailing slash).key
- Secret path.- Throws:
VaultConnectorException
- on error- Since:
- 0.8
-
deleteSecretVersions
Delete secret versions from Vault.
Only available for KV v2 stores.- Parameters:
mount
- Secret store mount point (without leading or trailing slash).key
- Secret path.versions
- Versions of the secret to delete.- Throws:
VaultConnectorException
- on error- Since:
- 0.8
-
undeleteSecretVersions
void undeleteSecretVersions(String mount, String key, int... versions) throws VaultConnectorException Undelete (restore) secret versions from Vault. Only available for KV v2 stores.- Parameters:
mount
- Secret store mount point (without leading or trailing slash).key
- Secret path.versions
- Versions of the secret to undelete.- Throws:
VaultConnectorException
- on error- Since:
- 0.8
-
destroySecretVersions
void destroySecretVersions(String mount, String key, int... versions) throws VaultConnectorException Destroy secret versions from Vault. Only available for KV v2 stores.- Parameters:
mount
- Secret store mount point (without leading or trailing slash).key
- Secret path.versions
- Versions of the secret to destroy.- Throws:
VaultConnectorException
- on error- Since:
- 0.8
-
revoke
Revoke given lease immediately.- Parameters:
leaseID
- the lease ID- Throws:
VaultConnectorException
- on error
-
renew
Renew lease with given ID.- Parameters:
leaseID
- the lase ID- Returns:
- Renewed lease
- Throws:
VaultConnectorException
- on error
-
renew
Renew lease with given ID.- Parameters:
leaseID
- the lase IDincrement
- number of seconds to extend lease time- Returns:
- Renewed lease
- Throws:
VaultConnectorException
- on error
-
createToken
Create a new token.- Parameters:
token
- the token- Returns:
- the result response
- Throws:
VaultConnectorException
- on error
-
createToken
Create a new token.- Parameters:
token
- the tokenorphan
- create orphan token- Returns:
- the result response
- Throws:
VaultConnectorException
- on error
-
createToken
Create a new token for specific role.- Parameters:
token
- the tokenrole
- the role name- Returns:
- the result response
- Throws:
VaultConnectorException
- on error
-
lookupToken
Lookup token information.- Parameters:
token
- the token- Returns:
- the result response
- Throws:
VaultConnectorException
- on error
-
createOrUpdateTokenRole
Create a new or update an existing token role.- Parameters:
role
- the role entity (name must be set)- Returns:
true
on success- Throws:
VaultConnectorException
- on error- Since:
- 0.9
-
createOrUpdateTokenRole
Create a new or update an existing token role.- Parameters:
name
- the role name (overrides name possibly set in role entity)role
- the role entity- Returns:
true
on success- Throws:
VaultConnectorException
- on error- Since:
- 0.9
-
readTokenRole
Lookup token information.- Parameters:
name
- the role name- Returns:
- the result response
- Throws:
VaultConnectorException
- on error- Since:
- 0.9
-
listTokenRoles
List available token roles from Vault.- Returns:
- List of token roles
- Throws:
VaultConnectorException
- on error- Since:
- 0.9
-
deleteTokenRole
Delete a token role.- Parameters:
name
- the role name to delete- Returns:
true
on success- Throws:
VaultConnectorException
- on error- Since:
- 0.9
-
readMySqlCredentials
Read credentials for MySQL backend at default mount point.- Parameters:
role
- the role name- Returns:
- the credentials response
- Throws:
VaultConnectorException
- on error- Since:
- 0.5.0
-
readPostgreSqlCredentials
Read credentials for PostgreSQL backend at default mount point.- Parameters:
role
- the role name- Returns:
- the credentials response
- Throws:
VaultConnectorException
- on error- Since:
- 0.5.0
-
readMsSqlCredentials
Read credentials for MSSQL backend at default mount point.- Parameters:
role
- the role name- Returns:
- the credentials response
- Throws:
VaultConnectorException
- on error- Since:
- 0.5.0
-
readMongoDbCredentials
Read credentials for MSSQL backend at default mount point.- Parameters:
role
- the role name- Returns:
- the credentials response
- Throws:
VaultConnectorException
- on error- Since:
- 0.5.0
-
readDbCredentials
default CredentialsResponse readDbCredentials(String role, String mount) throws VaultConnectorException Read credentials for SQL backends.- Parameters:
role
- the role namemount
- mount point of the SQL backend- Returns:
- the credentials response
- Throws:
VaultConnectorException
- on error- Since:
- 0.5.0
-