Auth Methods¶
The library supports four mutually exclusive auth methods:
tokenapprolekubernetesjwt
1. Token¶
from vault_kv_client import VaultAuth, VaultManager, VaultSettings
settings = VaultSettings(addr="https://vault.example.com")
auth = VaultAuth(token="s.xxxxx")
client = VaultManager(settings=settings, auth=auth)
Use this when your application already receives a Vault token from an external identity broker or bootstrap process.
2. AppRole¶
auth = VaultAuth(approle=("ROLE_ID", "SECRET_ID"))
client = VaultManager(settings=settings, auth=auth)
3. Kubernetes Auth¶
from vault_kv_client import VaultAuth, VaultKubernetesAuth
auth = VaultAuth(
kubernetes=VaultKubernetesAuth(
role="my-service",
mount_point="k8s",
)
)
If jwt is not provided, the library reads the service account token from:
/var/run/secrets/kubernetes.io/serviceaccount/token
You can also provide jwt or jwt_file explicitly.
4. Vault JWT / OIDC Auth¶
from vault_kv_client import VaultAuth, VaultJWTAuth
auth = VaultAuth(
jwt=VaultJWTAuth(
role="gitlab-role",
mount_point="jwt",
jwt="eyJhbGciOi...",
)
)
If your auth mount defines a default_role, you may omit role.
Environment Variables¶
The convenience bootstrap supports these common patterns:
Connection¶
VAULT_ADDRVAULT_SERVER_URLVAULT_NAMESPACEVAULT_VERIFYVAULT_SKIP_VERIFYVAULT_CACERTVAULT_CACERT_BYTES
Token¶
VAULT_TOKEN
AppRole¶
VAULT_ROLE_IDVAULT_SECRET_ID
Kubernetes¶
VAULT_AUTH_METHOD=k8sVAULT_ROLEVAULT_PATH- optional:
VAULT_JWT - optional:
VAULT_JWT_FILE
VAULT_AUTH_METHOD=kubernetes is accepted as an alias.
JWT / OIDC¶
VAULT_AUTH_METHOD=jwtVAULT_AUTH_ROLEVAULT_AUTH_PATHVAULT_JWTVAULT_JWT_ENV_VARVAULT_ID_TOKENVAULT_JWT_FILE
Legacy / Deprecated Behavior¶
Older deployments that set VAULT_AUTH_METHOD=jwt together with VAULT_ROLE
and VAULT_PATH are still recognized as Kubernetes auth. This behavior is
deprecated and preserved only for backward compatibility.