Persistent auth credentials for the application (hvac python module)

I develop an application in Python and want to integrate Vault client to get secrets (hvac module). The application is a GUI application, not a service. User starts an application and should log in to the vault.
I can’t grasp something in concept.
I want to give user some persistent credentials to login to vault. The authorization should only use information user knows (pasword, token etc., not GitHub, LDAP and so on).
My first idea was to give the user a token. But all non-root tokens expire, including orphan tokens. Max possible ttl is 32 days which is not enough. Asking all users to update login credentials every 32 days is not acceptable.
Also, it seems not the easiest way to create a periodic token and renew it continuously (need to create a separate service just for that).
Second idea was to authenticate using userpass method. But I can’t find this method in python hvac module (seems it is absent intentionally). It should be possible to authenticate with this method using HTTP API, but this looks wrong way if I have to use it additionally to the hvac module.
AppRole method uses secret-id which also expires.

So, is there a way to authenticate using hvac python module with persistent credentials?

Ah, found an answer. For some reason userpass method is not listed among Auth Methods in documentation here but it exists.
Here is how:

client = hvac.Client(url='http://localhost:8200')
hvac.api.auth_methods.Userpass(client.adapter).login(username="my_user_name", password='my_strong_password')

That’s a remarkably complicated way to do it though…

The documentation that you linked to says you can just do:

client = hvac.Client(url='http://localhost:8200')
client.auth_userpass('MY_USERNAME', 'MY_PASSWORD')
1 Like