This is a Python based client library for communicating with Cerberus and Vault via HTTPS and enables authentication schemes specific to AWS and Cerberus.
This client currently supports read-only operations (write operations are not yet implemented, feel free to open a pull request to implement write operations)
To learn more about Cerberus, please visit the Cerberus website.
This is a Python 3 project but should be compatible with python 2.7.
Install the cerberus python client and required python packages:
python3 setup.py install
or for python 2.7
python setup.py install
Or simply use pip or pip3
pip3 install cerberus-python-client
from cerberus.client import CerberusClient
This client supports 2 different types of authentication, both of which returns a Vault Token.
- username and password (CLI usage)
client = CerberusClient('https://my.cerberus.url', username, password)
- EC2 IAM role or Lambda(default mode)
Generally it does NOT make sense to store Lambda secrets in Cerberus for two reasons:
- Cerberus cannot support the scale that lambdas may need, e.g. thousands of requests per second
- Lambdas will not want the extra latency needed to authenticate and read from Cerberus
A better solution for Lambda secrets is using the encrypted environmental variables feature provided by AWS.
Another option is to store Lambda secrets in Cerberus but only read them at Lambda deploy time, then storing them as encrypted environmental variables, to avoid the extra Cerberus runtime latency.
The IAM role assigned to the Lambda function must contain the following policy statement in addition to the above KMS decrypt policy, this is so the Lambda can look up its metadata to automatically authenticate with the Cerberus IAM auth endpoint:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowGetRole",
"Effect": "Allow",
"Action": [
"iam:GetRole"
],
"Resource": [
"*"
]
}
]
}
client = CerberusClient('https://my.cerberus.url')
To get a secret for a specific key
secret = client.get_secret(path, key)
To get all the secrets for a vault path
secrets = client.get_secrets(path)
If you simply want to get a token you can use the Auth classes. You can also use the CerberusClient class.
- username and password
from cerberus.user_auth import UserAuth
token = UserAuth('https://my.cerberus.url', 'username', 'password').get_token()'
- EC2 IAM role
from cerberus.aws_auth import AWSAuth
token = AWSAuth('https://my.cerberus.url').get_token()
You can run all the unit tests using nosetests. Most of the tests are mocked.
$ nosetests --verbosity=2 tests/
This project is maintained by Ann Wallace ann.wallace@nike.com
Cerberus Management Service is released under the Apache License, Version 2.0