/cerberus-python-client

Python Client for Cerberus

Primary LanguagePythonApache License 2.0Apache-2.0

Cerberus Python Client

PyPI version

This is a Python based client library for communicating with Cerberus and Vault via HTTPS and enables authentication schemes specific to AWS and Cerberus.

This client currently supports read-only operations (write operations are not yet implemented, feel free to open a pull request to implement write operations)

To learn more about Cerberus, please visit the Cerberus website.

Installation

This is a Python 3 project but should be compatible with python 2.7.

Install the cerberus python client and required python packages:

python3 setup.py install

or for python 2.7

python setup.py install

Or simply use pip or pip3

pip3 install cerberus-python-client

Usage

from cerberus.client import CerberusClient

This client supports 2 different types of authentication, both of which returns a Vault Token.

  • username and password (CLI usage)
client = CerberusClient('https://my.cerberus.url', username, password)
  • EC2 IAM role or Lambda(default mode)

Lambdas

Generally it does NOT make sense to store Lambda secrets in Cerberus for two reasons:

  1. Cerberus cannot support the scale that lambdas may need, e.g. thousands of requests per second
  2. Lambdas will not want the extra latency needed to authenticate and read from Cerberus

A better solution for Lambda secrets is using the encrypted environmental variables feature provided by AWS.

Another option is to store Lambda secrets in Cerberus but only read them at Lambda deploy time, then storing them as encrypted environmental variables, to avoid the extra Cerberus runtime latency.

Prerequisites for Lambda

The IAM role assigned to the Lambda function must contain the following policy statement in addition to the above KMS decrypt policy, this is so the Lambda can look up its metadata to automatically authenticate with the Cerberus IAM auth endpoint:

  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "AllowGetRole",
        "Effect": "Allow",
        "Action": [
          "iam:GetRole"
        ],
        "Resource": [
          "*"
        ]
      }
    ]
  }
client = CerberusClient('https://my.cerberus.url')

To get a secret for a specific key

secret = client.get_secret(path, key)

To get all the secrets for a vault path

secrets = client.get_secrets(path)

If you simply want to get a token you can use the Auth classes. You can also use the CerberusClient class.

  • username and password
from cerberus.user_auth import UserAuth
token = UserAuth('https://my.cerberus.url', 'username', 'password').get_token()'
  • EC2 IAM role
from cerberus.aws_auth import AWSAuth
token = AWSAuth('https://my.cerberus.url').get_token()

Running Tests

You can run all the unit tests using nosetests. Most of the tests are mocked.

$ nosetests --verbosity=2 tests/

Maintenance

This project is maintained by Ann Wallace ann.wallace@nike.com

License

Cerberus Management Service is released under the Apache License, Version 2.0