DEPRECATION NOTICES:
- The
auth_github()
method within thehvac.Client
class has been marked as deprecated and will be removed in hvac v0.8.0 (or later). Please update any callers of this method to use thehvac.Client.github.login()
instead. - The
auth_ldap()
method within thehvac.Client
class has been marked as deprecated and will be removed in hvac v0.8.0 (or later). Please update any callers of this method to use thehvac.Client.ldap.login()
instead.
IMPROVEMENTS:
- New Github auth method class added. See the documentation for usage / examples. GH-242
- New Ldap auth method class added. See the documentation for usage / examples. GH-244
- New Mfa auth method class added. See the documentation for usage / examples. GH-255
auth_aws_iam()
method updated to include "region" parameter for deployments in different AWS regions. GH-243
DOCUMENTATION UPDATES:
- Additional guidance for how to configure hvac's
Client
class to leverage self-signed certificates / private CA bundles has been added at: Making Use of Private CA. GH-230 - Docstring for
verify
Client
parameter corrected and expanded. GH-238
MISCELLANEOUS:
- Automated PyPi deploys via travis-ci removed. GH-226
- Repository transferred to the new "hvac" GitHub organization; thanks @ianunruh! GH-227
- Codecov (automatic code coverage reports) added. GH-229 / GH-228
- Tests subdirectory reorganized; now broken up by integration versus unit tests with subdirectories matching the module path for the code under test. GH-236
Thanks to @otakup0pe, @FabianFrank, @andrewheald for their lovely contributions.
BACKWARDS COMPATIBILITY NOTICE:
- With the newly added
hvac.adapters.Request
class, request kwargs can no longer be directly modified via the_kwargs
attribute on theClient
class. If runtime modifications to this dictionary are required, callers either need to explicitly pass in a newadapter
instance with the desired settings via theadapter
propery on theClient
class or access the_kwargs
property via theadapter
property on theClient
class.
See the Advanced Usage section of this module's documentation for additional details.
IMPROVEMENTS:
- sphinx documentation and readthedocs.io project added. GH-222
- README.md included in setuptools metadata. GH-222
- All
tune_secret_backend()
parameters now accepted. GH-215 - Add
read_lease()
method GH-218 - Added adapter module with
Request
class to abstract HTTP requests away from theClient
class. GH-223
Thanks to @bbayszczak, @jvanbrunschot-coolblue for their lovely contributions.
IMPROVEMENTS:
- Update
unwrap()
method to match current Vault versions [GH-149] - Initial support for Kubernetes authentication backend [GH-210]
- Initial support for Google Cloud Platform (GCP) authentication backend [GH-206]
- Update enable_secret_backend function to support kv version 2 [GH-201]
BUG FIXES:
- Change URL parsing to allow for routes in the base Vault address (e.g.,
https://example.com/vault
) [GH-212].
Thanks to @mracter, @cdsf, @SiN, @seanmalloy, for their lovely contributions.
BACKWARDS COMPATIBILITY NOTICE:
- Token revocation now sends the token in the request payload. Requires Vault >0.6.5
- Various methods have new and/or re-ordered keyword arguments. Code calling these methods with positional arguments may need to be modified.
IMPROVEMENTS:
- Ensure mount_point Parameter for All AWS EC2 Methods [GH-195]
- Add Methods for Auth Backend Tuning [GH-193]
- Customizable approle path / mount_point [GH-190]
- Add more methods for the userpass backend [GH-175]
- Add transit signature_algorithm parameter [GH-174]
- Add auth_iam_aws() method [GH-170]
- lookup_token function POST token not GET [GH-164]
- Create_role_secret_id with wrap_ttl & fix get_role_secret_id_accessor [GH-159]
- Fixed json() from dict bug and added additional arguments on auth_ec2() method [GH-157]
- Support specifying period when creating EC2 roles [GH-140]
- Added support for /sys/generate-root endpoint [GH-131] / [GH-199]
- Added "auth_cubbyhole" method [GH-119]
- Send token/accessor as a payload to avoid being logged [GH-117]
- Add AppRole delete_role method [GH-112]
BUG FIXES:
- Always Specify auth_type In create_ec2_role [GH-197]
- Fix "double parasing" of JSON response in auth_ec2 method [GH-181]
Thanks to @freimer, @ramiamar, @marcoslopes, @ianwestcott, @marc-sensenich, @sunghyun-lee, @jnaulty, @sijis, @Myles-Steinhauser-Bose, @oxmane, @ltm, @bchannak, @tkinz27, @crmulliner, for their lovely contributions.
IMPROVEMENTS:
- Added
disallowed_policies
parameter tocreate_token_role
method [GH-169]
Thanks to @morganda for their lovely contribution.
IMPROVEMENTS:
- Add support for the
period
parameter on token creation [GH-167] - Add support for the
cidr_list
parameter for approle secrets [GH-114]
BUG FIXES:
- Documentation is now more accurate [GH-165] / [GH-154]
Thanks to @ti-mo, @dhoeric, @RAbraham, @lhdumittan, @ahsanali for their lovely contributions.
This is just the highlights, there have been a bunch of changes!
IMPROVEVEMENTS:
- Some AppRole support [GH-77]
- Response Wrapping [GH-85]
- AWS EC2 stuff [GH-107], [GH-109]
BUG FIXES
- Better handling of various error states [GH-79], [GH-125]
Thanks to @ianwestcott, @s3u, @mracter, @intgr, @jkdihenkar, @gaelL, @henriquegemignani, @bfeeser, @nicr9, @mwielgoszewski, @mtougeron for their contributions!
IMPROVEMENTS:
- Add token role support [GH-94]
- Add support for Python 2.6 [GH-92]
- Allow setting the explicit_max_ttl when creating a token [GH-81]
- Add support for write response wrapping [GH-85]
BUG FIXES:
- Fix app role endpoints for newer versions of Vault [GH-93]
Thanks to @otakup0pe, @nicr9, @marcoslopes, @caiotomazelli, and @blarghmatey for their contributions!
IMPROVEMENTS:
- Add EC2 auth support [GH-61]
- Add support for token accessors [GH-69]
- Add support for response wrapping [GH-70]
- Add AppRole auth support [GH-77]
BUG FIXES:
- Fix
no_default_policy
parameter increate_token
[GH-65] - Fix EC2 auth double JSON parsing [GH-76]
Thanks to @blarghmatey, @stevenmanton, and @ahlinc for their contributions!
IMPROVEMENTS:
- Add methods for manipulating app/user IDs [GH-62]
- Add ability to automatically parse policies with pyhcl [GH-58]
- Add TTL option to
create_userpass
[GH-60] - Add support for backing up keys on rekey [GH-57]
- Handle non-JSON error responses correctly [GH-46]
BUG FIXES:
is_authenticated
now handles new error type for Vault 0.6.0
BUG FIXES:
- Fix improper URL being used when leader redirection occurs [GH-56]
IMPROVEMENTS:
- Add support for Requests sessions [GH-53]
BUG FIXES:
- Properly handle redirects from Vault server [GH-51]
IMPROVEMENTS:
- Add support for
increment
in renewel of secret [GH-48]
BUG FIXES:
- Use unicode literals when constructing URLs [GH-50]
IMPROVEMENTS:
- Add support for list operation [GH-47]
IMPROVEMENTS:
- Add support for nonce during rekey operation [GH-42]
- Add get method for policies [GH-43]
- Add delete method for userpass auth backend [GH-45]
- Add support for response to rekey init
IMPROVEMENTS:
- Convenience methods for managing userpass and app-id entries
- Support for new API changes in Vault v0.4.0
IMPROVEMENTS:
- Add support for PGP keys when rekeying [GH-28]
BUG FIXES:
- Fixed token metadata parameter [GH-27]
IMPROVEMENTS:
- Add support for
revoke-self
- Restrict
requests
dependency to modern version
IMPROVEMENTS:
-
Add support for API changes/additions in Vault v0.3.0
- Tunable config on secret backends
- MFA on username/password and LDAP auth backends
- PGP encryption for unseal keys
BUG FIXES:
- Fix write response handling [GH-19]
BUG FIXES
- Fix error handling for next Vault release
IMPROVEMENTS:
- Add support for rekey/rotate APIs
BUG FIXES:
- Restrict
requests
dependency to 2.5.0 or later
IMPROVEMENTS:
- Return latest seal status from
unseal_multi
BUG FIXES:
- Use arguments passed to
initialize
method
BACKWARDS COMPATIBILITY NOTICE:
- Requires Vault 0.1.2 or later for
X-Vault-Token
header auth_token
method removed in favor oftoken
propertyread
method no longer raiseshvac.exceptions.InvalidPath
on nonexistent paths
IMPROVEMENTS:
- Tolerate falsey URL in client constructor
- Add ability to auth without changing to new token
- Add
is_authenticated
convenience method - Return
None
when reading nonexistent path
IMPROVEMENTS:
- Add
is_sealed
convenience method - Add
unseal_multi
convenience method
BUG FIXES:
- Remove secret_shares argument from
unseal
method
- Initial release