1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
Legacy MFA
==========
Configure Legacy MFA Auth Method Settings
-----------------------------------------
:py:meth:`hvac.api.auth_methods.LegacyMfa.configure`
.. note::
The legacy/unsupported MFA auth method covered by this class's configuration API route only supports integration with a subset of Vault auth methods. See the list of supported auth methods in this module's :py:attr:`"SUPPORTED_AUTH_METHODS" attribute<hvac.api.auth_methods.LegacyMfa.SUPPORTED_AUTH_METHODS>` and/or the associated `Vault LegacyMFA documentation`_ for additional information.
.. _Vault LegacyMFA documentation: https://developer.hashicorp.com/vault/docs/v1.10.x/auth/mfa
.. code:: python
import hvac
client = hvac.Client()
userpass_auth_path = 'some-userpass'
if '%s/' % userpass_auth_path not in vault_client.sys.list_auth_methods()['data']:
print('Enabling the userpass auth backend at mount_point: {path}'.format(
path=userpass_auth_path,
))
client.sys.enable_auth_method(
method_type='userpass',
path=userpass_auth_path,
)
client.auth.legacymfa.configure(
mount_point=userpass_auth_path,
)
Reading the Legacy MFA Auth Method Configuration
------------------------------------------------
:py:meth:`hvac.api.auth_methods.LegacyMfa.read_configuration`
.. code:: python
import hvac
client = hvac.Client()
mfa_configuration = client.auth.legacymfa.read_configuration()
print('The LegacyMFA auth method is configured with a MFA type of: {mfa_type}'.format(
mfa_type=mfa_configuration['data']['type']
)
Configure Duo LegacyMFA Type Access Credentials
-----------------------------------------------
:py:meth:`hvac.api.auth_methods.LegacyMfa.configure_duo_access`
.. code:: python
from getpass import getpass
import hvac
client = hvac.Client()
secret_key_prompt = 'Please enter the Duo access secret key to configure: '
duo_access_secret_key = getpass(prompt=secret_key_prompt)
client.auth.legacymfa.configure_duo_access(
mount_point=userpass_auth_path,
host='api-1234abcd.duosecurity.com',
integration_key='SOME_DUO_IKEY',
secret_key=duo_access_secret_key,
)
Configure Duo Legacy MFA Type Behavior
--------------------------------------
:py:meth:`hvac.api.auth_methods.LegacyMfa.configure_duo_behavior`
.. code:: python
import hvac
client = hvac.Client()
client.auth.legacymfa.configure_duo_behavior(
mount_point=userpass_auth_path,
username_format='%s@hvac.network',
)
Read Duo Legacy MFA Type Behavior
---------------------------------
:py:meth:`hvac.api.auth_methods.LegacyMfa.read_duo_behavior_configuration`
.. code:: python
import hvac
client = hvac.Client()
duo_behavior_config = client.auth.legacymfa.read_duo_behavior_configuration(
mount_point=userpass_auth_path,
)
print('The Duo LegacyMFA behavior is configured with a username_format of: {username_format}'.format(
username_format=duo_behavior_config['data']['username_format'],
)
Authentication / Login
----------------------
.. code:: python
from getpass import getpass
import hvac
login_username = 'someuser'
password_prompt = 'Please enter your password for the userpass (with MFA) authentication backend: '
login_password = getpass(prompt=password_prompt)
passcode_prompt = 'Please enter your OTP for the userpass (with MFA) authentication backend: '
userpass_mfa_passcode = getpass(prompt=passcode_prompt)
client = hvac.Client()
# Here the mount_point parameter corresponds to the path provided when enabling the backend
client.auth.legacymfa.auth_userpass(
username=login_username,
password=login_password,
mount_point=userpass_auth_path,
passcode=userpass_mfa_passcode,
)
print(client.is_authenticated) # => True
|
