{"id":13595402,"url":"https://github.com/rajanadar/VaultSharp","last_synced_at":"2025-04-09T13:31:56.020Z","repository":{"id":3542911,"uuid":"50078456","full_name":"rajanadar/VaultSharp","owner":"rajanadar","description":"A comprehensive cross-platform .NET Library for HashiCorp's Vault, a secret management tool","archived":false,"fork":false,"pushed_at":"2024-10-14T18:45:43.000Z","size":82739,"stargazers_count":508,"open_issues_count":10,"forks_count":136,"subscribers_count":12,"default_branch":"master","last_synced_at":"2025-04-03T20:38:21.686Z","etag":null,"topics":["csharp","dotnet","dotnet-standard","hashicorp-vault","restclient","secret"],"latest_commit_sha":null,"homepage":"http://rajanadar.github.io/VaultSharp","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rajanadar.png","metadata":{"files":{"readme":"README-0.6.x.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.MD","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-01-21T03:11:37.000Z","updated_at":"2025-03-17T18:35:20.000Z","dependencies_parsed_at":"2024-08-01T16:39:50.892Z","dependency_job_id":"b9be6fa3-ee0d-45a4-b527-4a122111e70b","html_url":"https://github.com/rajanadar/VaultSharp","commit_stats":{"total_commits":634,"total_committers":36,"mean_commits":17.61111111111111,"dds":0.6261829652996845,"last_synced_commit":"34ab400c2a295f4a81d97fc5d65f38509c7e0f05"},"previous_names":[],"tags_count":53,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rajanadar%2FVaultSharp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rajanadar%2FVaultSharp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rajanadar%2FVaultSharp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rajanadar%2FVaultSharp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rajanadar","download_url":"https://codeload.github.com/rajanadar/VaultSharp/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248049303,"owners_count":21039200,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["csharp","dotnet","dotnet-standard","hashicorp-vault","restclient","secret"],"created_at":"2024-08-01T16:01:49.408Z","updated_at":"2025-04-09T13:31:51.712Z","avatar_url":"https://github.com/rajanadar.png","language":"C#","funding_links":[],"categories":["C\\#","C#","dotnet","csharp"],"sub_categories":[],"readme":"VaultSharp\n==========\n\nThis is the documentation for the older VaultSharp 0.6.x version.\nA lot has changed in the latest VaultSharp versions. Please see [Latest VaultSharp Docs](https://github.com/rajanadar/VaultSharp/blob/master/README.md) for the latest docs.\n\n### What is VaultSharp?\n\n* VaultSharp is a C# Library that can be used in any .NET application to interact with Hashicorp's Vault Service.\n* The Vault system is a secret management system built as an Http Service by Hashicorp. \n* This library supports all the Vault Service Apis documented here: https://www.vaultproject.io/docs/http/\n\n### VaultSharp 0.6.x completely supports Hashicorp's Vault 0.6.x\n\n### What is the deal with the Versioning of VaultSharp? (Y U NO 1.0.0)\n\n* This library is written for Hashicorp's Vault Service\n* The Vault service is evolving constantly and the Hashicorp team is rapidly working on it.\n* Pretty soon, they should have an 1.0.0 version of the Vault Service from Hashicorp.\n* Because this client library is intended to facilititate the Vault Service operations, this library makes it easier for its consumers to relate to the Vault service it supports.\n* Hence a version of 0.6.1 denotes that this library will completely support the Vault 0.6.1 Service Apis.\n* Tomorrow when Vault Service gets upgraded to 0.6.2, this library will be modified accordingly and versioned as 0.6.2\n\n### How do I use VaultSharp? Give me a code example\n\n* Add a Nuget reference from here: https://www.nuget.org/packages/VaultSharp/\n* Instantiate a IVaultClient as follows:\n\n```cs\n// instantiate VaultClient with one of the various authentication options available.\nIVaultClient vaultClient = VaultClientFactory.CreateVaultClient(vaultUriWithPort, authenticationInfo);\n\n// use it for operations.\nvar consulCredentials = await vaultClient.ConsulGenerateDynamicCredentialsAsync(consulRoleName, consulMountPoint);\nvar consulToken = consulCredentials.Data.Token;\n```\n\n### Does VaultSharp support all the Authentication, Secret and Audit Backends?\n\n* YES\n* All Authentication, Secret and Audit backends are supported by this library.\n* All administrative (seal, unseal, write policy), end-user (generate credentials) and unauthenticated methods (get status, get root CA) are supported by this client.\n\n### VaultSharp and 100% Consul Support\n\n* VaultSharp supports all the secret backends supported by the Vault 0.6.1 Service.\n* This includes 100% support for a Consul Secret backend, which is the recommended secret backend for Vault.\n* Please look at the API usage in the 'Consul' section of 'Secret Backends' below, to see all the Consul related methods in action.\n\n### The fundamental READ and WRITE operations on a Vault\n\n* The generic READ/WRITE Apis of vault allow you to do a variety of operations.\n* A lot or almost all of these operations are supported in a strongly typed manner with dedicated methods for them in this library.\n* However, for some reason, if you want to use the generic READ and WRITE methods of Vault, you can use them as follows:\n\n```cs\nvar path = \"cubbyhole/foo/test\";\n\nvar secretData = new Dictionary\u003cstring, object\u003e\n{\n    {\"1\", \"1\"},\n    {\"2\", 2},\n    {\"3\", false},\n};\n\nawait vaultClient.WriteSecretAsync(path, secretData);\n\nvar secret = await vaultClient.ReadSecretAsync(path);\nvar data = secret.Data; // this is the original dictionary back.\n```\n\n### Can I use it in my PowerShell Automation?\n\n* Absolutely. VaultSharp is a .NET Library. \n* This means, apart from using it in your C#, VB.NET, J#.NET and any .NET application, you can use it in PowerShell automation as well.\n* Load up the DLL in your PowerShell code and execute the methods. PowerShell can totally work with .NET Dlls.\n\n### All the methods are async. How do I use them synchronously?\n\n* The methods are async as the defacto implementation. The recommended usage.\n* However, there are innumerable scenarios where you would continue to want to use it synchronously.\n* For all those cases, there are various options available to you.\n* There is a lot of discussion around the right usage, avoiding deadlocks etc.\n* This library allows you to set the 'continueAsyncTasksOnCapturedContext' option when you initialize the client.\n* It is an optional parameter and defaults to 'false'\n* Setting it to false, allows you to access the .Result property of the task with reduced/zero deadlock issues.\n* There are other ways as well to invoke it synchronously, and  I leave it to the users of the library. (Task.Run etc.) \n* But please note that as much as possible, use it in an async manner. \n\n```cs\n\nIVaultClient vaultClient = VaultClientFactory.CreateVaultClient(vaultUriWithPort, authenticationInfo, continueAsyncTasksOnCapturedContext: true);\n\nvar consulSecret = vaultClient.ConsulGenerateDynamicCredentialsAsync(consulRole).Result;\n\n```\n\n### Authentication Backends (All of them are supported)\n\n* VaultSharp supports all the authentication backends supported by the Vault Service 0.4.0\n* Here is a sample to instantiate the vault client with each of the authentication backends.\n\n#### App Id Authentication Backend\n\n* Please note that the app-id auth backend has been deprecated by Vault. They recommend us to use the AppRole backend.\n* VaultSharp still lets you use the app-id Apis, for backward compatibility.\n* You can use the strongly typed api's to configure the appid and userid as follows.\n\n```cs\n\n// Configure app-id roles and users as follows.\nawait AdminVaultClient.AppIdAuthenticationConfigureAppId(appId, policy.Name, appId, path);\nawait AdminVaultClient.AppIdAuthenticationConfigureUserId(userId, appId, authenticationPath: path);\n\n// now, setup the app-id based auth to get the right token.\n\nIAuthenticationInfo appIdAuthenticationInfo = new AppIdAuthenticationInfo(mountPoint, appId, userId);\nIVaultClient vaultClient = VaultClientFactory.CreateVaultClient(vaultUriWithPort, appIdAuthenticationInfo);\n\n// any operations done using the vaultClient will use the vault token/policies mapped to the app id and user id.\n\n```\n\n#### App Role Authentication Backend\n\n```cs\n\n// setup the AppRole based auth to get the right token.\n\nIAuthenticationInfo appRoleAuthenticationInfo = new AppRoleAuthenticationInfo(mountPoint, roleId, secretId);\nIVaultClient vaultClient = VaultClientFactory.CreateVaultClient(vaultUriWithPort, appRoleAuthenticationInfo);\n\n// any operations done using the vaultClient will use the vault token/policies mapped to the app role and secret id.\n\n```\n\n#### AWS-EC2 Authentication Backend\n\n```cs\n\n// setup the AWS-EC2 based auth to get the right token.\n\nIAuthenticationInfo awsEc2AuthenticationInfo = new AwcEc2AuthenticationInfo(mountPoint, pkcs7, nonce, roleName);\nIVaultClient vaultClient = VaultClientFactory.CreateVaultClient(vaultUriWithPort, awsEc2AuthenticationInfo);\n\n// any operations done using the vaultClient will use the vault token/policies mapped to the aws-ec2 role\n\n```\n\n#### GitHub Authentication Backend\n\n```cs\nIAuthenticationInfo gitHubAuthenticationInfo = new GitHubAuthenticationInfo(mountPoint, personalAccessToken);\nIVaultClient vaultClient = VaultClientFactory.CreateVaultClient(vaultUriWithPort, gitHubAuthenticationInfo);\n\n// any operations done using the vaultClient will use the vault token/policies mapped to the github token.\n\n```\n\n#### LDAP Authentication Backend\n\n```cs\nIAuthenticationInfo ldapAuthenticationInfo = new LDAPAuthenticationInfo(mountPoint, username, password);\nIVaultClient vaultClient = VaultClientFactory.CreateVaultClient(vaultUriWithPort, ldapAuthenticationInfo);\n\n// any operations done using the vaultClient will use the vault token/policies mapped to the LDAP username and password.\n\n```\n\n#### Certificate (TLS) Authentication Backend\n\n```cs\nvar clientCertificate = new X509Certificate2(certificatePath, certificatePassword, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);\n\nIAuthenticationInfo certificateAuthenticationInfo = new CertificateAuthenticationInfo(mountPoint, clientCertificate);\nIVaultClient vaultClient = VaultClientFactory.CreateVaultClient(vaultUriWithPort, certificateAuthenticationInfo);\n\n// any operations done using the vaultClient will use the vault token/policies mapped to the client certificate.\n\n```\n\n#### Token Authentication Backend\n\n```cs\nIAuthenticationInfo tokenAuthenticationInfo = new TokenAuthenticationInfo(mountPoint, vaultToken);\nIVaultClient vaultClient = VaultClientFactory.CreateVaultClient(vaultUriWithPort, tokenAuthenticationInfo);\n\n// any operations done using the vaultClient will use the vault token/policies mapped to the vault token.\n\n```\n\n#### Username and Password Authentication Backend\n\n```cs\nIAuthenticationInfo usernamePasswordAuthenticationInfo = new UsernamePasswordAuthenticationInfo(mountPoint, username, password);\nIVaultClient vaultClient = VaultClientFactory.CreateVaultClient(vaultUriWithPort, usernamePasswordAuthenticationInfo);\n\n// any operations done using the vaultClient will use the vault token/policies mapped to the username/password.\n\n```\n\n### Secret Backends (All of them are supported)\n\n* VaultSharp supports all the secret backends supported by the Vault Service 0.4.0\n* Here is a sample to instantiate the vault client with each of the secret backends.\n\n#### AWS Secret Backend\n\n##### Configuring an AWS Backend\n\n```cs\n// mount the backend\nawait vaultClient.MountSecretBackendAsync(new SecretBackend\n{\n    BackendType = SecretBackendType.AWS\n});\n\n// configure root credentials to create/manage roles and generate credentials\nawait vaultClient.AWSConfigureRootCredentialsAsync(new AWSRootCredentials\n{\n    AccessKey = \"access-key\",\n    SecretKey = \"secret-key\",\n    Region = \"region\"\n});\n\n// create a named role with the IAM policy\nawait vaultClient.AWSWriteNamedRoleAsync(\"myAwsRole\", new AWSRoleDefinition\n{\n    Policy = \"iam-policy-contents\"\n});\n```\n\n##### Generate AWS Credentials\n\n```cs\nvar awsCredentials = await vaultClient.AWSGenerateDynamicCredentialsAsync(\"myAwsRole\");\nvar awsAccessKey = awsCredentials.Data.AccessKey;\nvar awsSecretKey = awsCredentials.Data.SecretKey;\n\n```\n\n#### Cassandra Secret Backend\n\n##### Configuring a Cassandra Backend\n\n```cs\n// mount the backend\nawait vaultClient.MountSecretBackendAsync(new SecretBackend\n{\n    BackendType = SecretBackendType.Cassandra\n});\n\n// configure root connection info to create/manage roles and generate credentials\nawait vaultClient.CassandraConfigureConnectionAsync(new CassandraConnectionInfo\n{\n    Hosts = \"hosts\",\n    Username = \"username\",\n    Password = \"password\"\n});\n\n// create a named role\nawait vaultClient.CassandraWriteNamedRoleAsync(\"myCassandraRole\", new CassandraRoleDefinition\n{\n    CreationCql = \"csql\"\n});\n```\n\n##### Generate Cassandra Credentials\n\n```cs\nvar cassandraCredentials = await vaultClient.CassandraGenerateDynamicCredentialsAsync(\"myCassandraRole\");\nvar cassandraUsername = cassandraCredentials.Data.Username;\nvar cassandraPassword = cassandraCredentials.Data.Password;\n\n```\n#### Consul Secret Backend\n\n##### Configuring a Consul Backend\n\n```cs\n// mount the backend\nvar consulAddress = \"127.0.0.1:8500\";\nvar consulAclMasterToken = \"raja\";\n\nvar backend = new SecretBackend\n{\n    BackendType = SecretBackendType.Consul,\n};\n\nawait vaultClient.MountSecretBackendAsync(backend);\n\n// configure access to Consul and create roles\nvar consulRole = \"consulRole\";\n\nawait vaultClient.ConsulConfigureAccessAsync(new ConsulAccessInfo()\n{\n    AddressWithPort = consulAddress,\n    ManagementToken = consulAclMasterToken\n});\n\n// create a named role\nawait vaultClient.ConsulWriteNamedRoleAsync(consulRole, new ConsulRoleDefinition()\n{\n    TokenType = ConsulTokenType.management,\n});\n\nvar readRole = await vaultClient.ConsulReadNamedRoleAsync(consulRole);\nAssert.Equal(ConsulTokenType.management, readRole.Data.TokenType);\n```\n\n##### Generate Consul Credentials\n\n```cs\nvar consulCredentials = await vaultClient.ConsulGenerateDynamicCredentialsAsync(consulRole);\nvar consulToken = consulCredentials.Data.Token;\n```\n\n##### Deleting Role and Unmounting the Consul backend\n\n```cs\nawait vaultClient.ConsulDeleteNamedRoleAsync(consulRole);\nawait vaultClient.UnmountSecretBackendAsync(SecretBackendType.Consul.Type);\n\n```\n\n#### Cubbyhole Secret Backend\n\n```cs\nvar path = \"cubbyhole/foo1/foo2\";\nvar values = new Dictionary\u003cstring, object\u003e\n{\n    {\"foo\", \"bar\"},\n    {\"foo2\", 345 }\n};\n\nawait vaultClient.CubbyholeWriteSecretAsync(path, values);\n\nvar readValues = await vaultClient.CubbyholeReadSecretAsync(path);\nvar data = readValues.Data; // gives back the dictionary\n\nawait vaultClient.CubbyholeDeleteSecretAsync(path);\n\n```\n\n#### Generic Secret Backend\n\n```cs\nvar mountpoint = \"secret\" + Guid.NewGuid();\n\nvar path = mountpoint + \"/foo1/blah2\";\nvar values = new Dictionary\u003cstring, object\u003e\n{\n    {\"foo\", \"bar\"},\n    {\"foo2\", 345 }\n};\n\nawait\n    vaultClient.MountSecretBackendAsync(new SecretBackend()\n    {\n        BackendType = SecretBackendType.Generic,\n        MountPoint = mountpoint\n    });\n\nawait vaultClient.GenericWriteSecretAsync(path, values);\n\nvar readValues = await vaultClient.GenericReadSecretAsync(path);\nvar data = readValues.Data; // gives back the dictionary\n\nawait vaultClient.GenericDeleteSecretAsync(path);\n\n```\n#### MongoDB Secret Backend\n\n##### Configuring a MongoDB Backend\n\n```cs\n// mount the backend\nvar mountPoint = \"mongodb\" + Guid.NewGuid();\nvar backend = new SecretBackend\n{\n    MountPoint = mountPoint,\n    BackendType = SecretBackendType.MongoDB,\n};\n\nawait vaultClient.MountSecretBackendAsync(backend);\n\n// configure root connection info to create/manage roles and generate credentials\n\nvar mongoDbConnectionInfo = new MongoDbConnectionInfo\n{\n ConnectionStringUri = \"mongodb://root:password@127.0.0.1:27017/admin?ssl=false\"\n};\n\nawait vaultClient.MongoDbConfigureConnectionAsync(mongoDbConnectionInfo, mountPoint);\n\nvar lease = new CredentialTimeToLiveSettings\n{\n    TimeToLive = \"1m1s\",\n    MaximumTimeToLive = \"2m1s\"\n};\n\nawait vaultClient.MongoDbConfigureCredentialLeaseSettingsAsync(lease);\n\n// create a named role\nvar roleName = \"mongodb-role\";\n\nvar role = new MongoDbRoleDefinition\n{\n    Database = \"admin\",\n    Roles = JsonConvert.SerializeObject(new object[] { \"readWrite\", new { role = \"read\", db = \"bar\" } })\n};\n\nawait vaultClient.MongoDbWriteNamedRoleAsync(roleName, role);\n\nvar queriedRole = await vaultClient.MongoDbReadNamedRoleAsync(roleName);\n```\n\n##### Generate MongoDB Credentials\n\n```cs\nvar generatedCreds = await vaultClient.MongoDbGenerateDynamicCredentialsAsync(roleName, mountPoint);\n\nvar username = generatedCreds.Data.Username;\nvar password = generatedCreds.Data.Password;\n\n```\n#### MSSQL Secret Backend\n\n##### Configuring a MSSQL Backend\n\n```cs\n// mount the backend\nvar mountPoint = \"mssql\" + Guid.NewGuid();\nvar backend = new SecretBackend\n{\n    MountPoint = mountPoint,\n    BackendType = SecretBackendType.MicrosoftSql,\n};\n\nawait vaultClient.MountSecretBackendAsync(backend);\n\n// configure root connection info to create/manage roles and generate credentials\nvar microsoftSqlConnectionInfo = new MicrosoftSqlConnectionInfo\n{\n    ConnectionString = \"server=localhost\\sqlexpress;port=1433;user id=sa;password=****;database=master;app name=vault\",\n    MaximumOpenConnections = 5,\n    VerifyConnection = true\n};\n\nawait vaultClient.MicrosoftSqlConfigureConnectionAsync(microsoftSqlConnectionInfo, mountPoint);\n\nvar lease = new CredentialTtlSettings()\n{\n    TimeToLive = \"1m1s\",\n    MaximumTimeToLive = \"2m1s\"\n};\n\nawait vaultClient.MicrosoftSqlConfigureCredentialLeaseSettingsAsync(lease, mountPoint);\n\n// create a named role\nvar roleName = \"msssqlrole\";\n\nvar role = new MicrosoftSqlRoleDefinition\n{\n    Sql = \"CREATE LOGIN '[{{name}}]' WITH PASSWORD = '{{password}}'; USE master; CREATE USER '[{{name}}]' FOR LOGIN '[{{name}}]'; GRANT SELECT ON SCHEMA::dbo TO '[{{name}}]'\"\n};\n\nawait vaultClient.MicrosoftSqlWriteNamedRoleAsync(roleName, role, mountPoint);\n\nvar queriedRole = await vaultClient.MicrosoftSqlReadNamedRoleAsync(roleName, mountPoint);\n```\n\n##### Generate MSSQL Credentials\n\n```cs\nvar msSqlCredentials = await vaultClient.MicrosoftSqlGenerateDynamicCredentialsAsync(roleName, backend.MountPoint);\n\nvar msSqlUsername = msSqlCredentials.Data.Username;\nvar msSqlPassword = msSqlCredentials.Data.Password;\n\n```\n#### MySql Secret Backend\n\n##### Configuring a MySql Backend\n\n```cs\n// mount the backend\nvar mountPoint = \"mysql\" + Guid.NewGuid();\nvar backend = new SecretBackend\n{\n    MountPoint = mountPoint,\n    BackendType = SecretBackendType.MySql,\n};\n\nawait vaultClient.MountSecretBackendAsync(backend);\n\n// configure root connection info to create/manage roles and generate credentials\nawait vaultClient.MySqlConfigureConnectionAsync(new MySqlConnectionInfo()\n{\n    DataSourceName = \"root:root@tcp(127.0.0.1:3306)/\"\n}, mountPoint);\n\nvar sql = \"CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';\";\n\nawait vaultClient.MySqlConfigureCredentialLeaseSettingsAsync(new CredentialLeaseSettings()\n{\n    LeaseDuration = \"1h\",\n    MaximumLeaseDuration = \"2h\"\n}, mountPoint);\n\n// create a named role\nvar mySqlRole = \"mysql-readonly-role\";\n\nawait vaultClient.MySqlWriteNamedRoleAsync(mySqlRole, new MySqlRoleDefinition()\n{\n    Sql = sql\n}, mountPoint);\n\nvar readRole = await vaultClient.MySqlReadNamedRoleAsync(mySqlRole, mountPoint);\nvar roleSql = readRole.Data.Sql;\n```\n\n##### Generate MySql Credentials\n\n```cs\nvar mySqlCredentials = await vaultClient.MySqlGenerateDynamicCredentialsAsync(mySqlRole, backend.MountPoint);\n\nvar mySqlUsername = mySqlCredentials.Data.Username;\nvar mySqlPassword = mySqlCredentials.Data.Password;\n\n```\n#### PKI (Certificates) Secret Backend\n\n##### Configuring a PKI Backend\n\n```cs\n// mount the backend\nvar mountpoint = \"pki\" + Guid.NewGuid();\nvar backend = new SecretBackend\n{\n    BackendType = SecretBackendType.PKI,\n    MountPoint = mountpoint\n};\n\nawait vaultClient.MountSecretBackendAsync(backend);\n\n// write expiry\nvar expiry = \"124h\";\nvar commonName = \"blah.example.com\";\n\nawait vaultClient.PKIWriteCRLExpirationAsync(expiry, mountpoint);\n\nvar readExpiry = await vaultClient.PKIReadCRLExpirationAsync(mountpoint);\nAssert.Equal(expiry, readExpiry.Data.Expiry);\n\n// read certificate in various ways\nvar nocaCert = await vaultClient.PKIReadCACertificateAsync(CertificateFormat.pem, mountpoint);\nAssert.Null(nocaCert.CertificateContent);\n\n// generate root certificate\nvar rootCertificateWithoutPrivateKey =\n    await vaultClient.PKIGenerateRootCACertificateAsync(new RootCertificateRequestOptions\n    {\n        CommonName = commonName,\n        ExportPrivateKey = false\n    }, mountpoint);\n\nAssert.Null(rootCertificateWithoutPrivateKey.Data.PrivateKey);\n\nvar rootCertificate =\n    await vaultClient.PKIGenerateRootCACertificateAsync(new RootCertificateRequestOptions\n    {\n        CommonName = commonName,\n        ExportPrivateKey = true\n    }, mountpoint);\n\nAssert.NotNull(rootCertificate.Data.PrivateKey);\n\n// read certificate in various ways\nvar caCert = await vaultClient.PKIReadCACertificateAsync(CertificateFormat.pem, mountpoint);\nAssert.NotNull(caCert.CertificateContent);\n\nvar caReadCert = await vaultClient.PKIReadCertificateAsync(\"ca\", mountpoint);\nAssert.Equal(caCert.CertificateContent, caReadCert.Data.CertificateContent);\n\nvar caSerialNumberReadCert = await vaultClient.PKIReadCertificateAsync(rootCertificate.Data.SerialNumber, mountpoint);\nAssert.Equal(caCert.CertificateContent, caSerialNumberReadCert.Data.CertificateContent);\n\nvar crlCert = await vaultClient.PKIReadCertificateAsync(\"crl\", mountpoint);\nAssert.NotNull(crlCert.Data.CertificateContent);\n\nvar crlCert2 = await vaultClient.PKIReadCRLCertificateAsync(CertificateFormat.pem, mountpoint);\nAssert.NotNull(crlCert2.CertificateContent);\n\n// write and read certificate endpoints\n\nvar crlEndpoint = _vaultUri.AbsoluteUri + \"/v1/\" + mountpoint + \"/crl\";\nvar issuingEndpoint = _vaultUri.AbsoluteUri + \"/v1/\" + mountpoint + \"/ca\";\n\nvar endpoints = new CertificateEndpointOptions\n{\n    CRLDistributionPointEndpoints = string.Join(\",\", new List\u003cstring\u003e { crlEndpoint }),\n    IssuingCertificateEndpoints = string.Join(\",\", new List\u003cstring\u003e { issuingEndpoint }),\n};\n\nawait vaultClient.PKIWriteCertificateEndpointsAsync(endpoints, mountpoint);\n\nvar readEndpoints = await vaultClient.PKIReadCertificateEndpointsAsync(mountpoint);\n\nAssert.Equal(crlEndpoint, readEndpoints.Data.CRLDistributionPointEndpoints.First());\nAssert.Equal(issuingEndpoint, readEndpoints.Data.IssuingCertificateEndpoints.First());\n\n// rotate CRL\nvar rotate = await vaultClient.PKIRotateCRLAsync(mountpoint);\nAssert.True(rotate);\n\nawait vaultClient.RevokeSecretAsync(rootCertificateWithoutPrivateKey.LeaseId);\n```\n##### Write/Read PKI Role\n\n```cs\n// Create new Role\nvar roleName = Guid.NewGuid().ToString();\n\nvar role = new CertificateRoleDefinition\n{\n    AllowedDomains = \"example.com\",\n    AllowSubdomains = true,\n    MaximumTimeToLive = \"72h\",\n};\n\nawait vaultClient.PKIWriteNamedRoleAsync(roleName, role, mountpoint);\n\nvar readRole = await vaultClient.PKIReadNamedRoleAsync(roleName, mountpoint);\nAssert.Equal(role.AllowedDomains, readRole.Data.AllowedDomains);\n\n```\n\n##### Generate PKI Credentials\n\n```cs\nvar certificateCredentials =\n    await\n        vaultClient.PKIGenerateDynamicCredentialsAsync(roleName,\n            new CertificateCredentialsRequestOptions\n            {\n                CommonName = commonName,\n                CertificateFormat = CertificateFormat.pem\n            }, mountpoint);\n\nvar privateKey = certificateCredentials.Data.PrivateKey;\n\n```\n\n#### PostgreSql Secret Backend\n\n##### Configuring a PostgreSql Backend\n\n```cs\n// mount the backend\nvar mountPoint = \"postgresql\" + Guid.NewGuid();\nvar backend = new SecretBackend\n{\n    MountPoint = mountPoint,\n    BackendType = SecretBackendType.PostgreSql,\n};\n\nawait vaultClient.MountSecretBackendAsync(backend);\n\nawait vaultClient.PostgreSqlConfigureCredentialLeaseSettingsAsync(new CredentialLeaseSettings()\n{\n    LeaseDuration = \"1h\",\n    MaximumLeaseDuration = \"2h\"\n}, mountPoint);\n\n// configure root connection info to create/manage roles and generate credentials\nawait vaultClient.PostgreSqlConfigureConnectionAsync(new PostgreSqlConnectionInfo\n{\n    ConnectionString = \"con_string\",\n    MaximumOpenConnections = 5\n}, mountPoint);\n\nvar sql = \"CREATE ROLE \\\"{{name}}\\\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \\\"{{name}}\\\";\";\n\n// create a named role\nvar postgreSqlRole = \"postgresql-readonly-role\";\n\nawait vaultClient.PostgreSqlWriteNamedRoleAsync(postgreSqlRole, new PostgreSqlRoleDefinition()\n{\n    Sql = sql\n}, mountPoint);\n\nvar readRole = await vaultClient.PostgreSqlReadNamedRoleAsync(postgreSqlRole, mountPoint);\nAssert.Equal(sql, readRole.Data.Sql);\n```\n\n##### Generate PostgreSql Credentials\n\n```cs\nvar postgreSqlCredentials = await vaultClient.PostgreSqlGenerateDynamicCredentialsAsync(postgreSqlRole, backend.MountPoint);\n\nAssert.NotNull(postgreSqlCredentials.LeaseId);\nAssert.NotNull(postgreSqlCredentials.Data.Username);\nAssert.NotNull(postgreSqlCredentials.Data.Password);\n\n```\n#### RabbitMQ Secret Backend\n\n##### Configuring a RabbitMQ Backend\n\n```cs\n// mount the backend\nawait vaultClient.QuickMountSecretBackendAsync(SecretBackendType.RabbitMQ);\n\n// configure root connection info to create/manage roles and generate credentials\nvar connectionInfo = new RabbitMQConnectionInfo\n{\n    ConnectionUri = \"http://localhost:15672\",\n    Username = \"guest\",\n    Password = \"guest\",\n    VerifyConnection = true\n};\n\nawait vaultClient.RabbitMQConfigureConnectionAsync(connectionInfo);\n\nvar lease = new CredentialTimeToLiveSettings\n{\n    TimeToLive = \"1m1s\",\n    MaximumTimeToLive = \"2m1s\"\n};\n\nawait vaultClient.RabbitMQConfigureCredentialLeaseSettingsAsync(lease);\nvar queriedLease = await vaultClient.RabbitMQReadCredentialLeaseSettingsAsync();\n\nvar roleName = \"rabbitmqrole\";\n\nvar role = new RabbitMQRoleDefinition\n{\n    VirtualHostPermissions = \"{\\\"/\\\":{\\\"write\\\": \\\".*\\\", \\\"read\\\": \\\".*\\\"}}\"\n};\n\nawait vaultClient.RabbitMQWriteNamedRoleAsync(roleName, role);\n\nvar queriedRole = await vaultClient.RabbitMQReadNamedRoleAsync(roleName);\n```\n\n##### Generate RabbitMQ Credentials\n\n```cs\nvar generatedCreds = await vaultClient.RabbitMQGenerateDynamicCredentialsAsync(roleName);\n\nAssert.NotNull(generatedCreds.Data.Username);\nAssert.NotNull(generatedCreds.Data.Password);\n\n```\n\n#### SSH Secret Backend\n\n##### Configuring a SSH Backend\n\n```cs\n// mount the backend\nvar sshKeyName = Guid.NewGuid().ToString();\nvar sshRoleName = Guid.NewGuid().ToString();\n\nvar mountPoint = \"ssh\" + Guid.NewGuid();\nvar backend = new SecretBackend\n{\n    BackendType = SecretBackendType.SSH,\n    MountPoint = mountPoint,\n};\n\nawait vaultClient.MountSecretBackendAsync(backend);\n\n// configure key and role\nvar privateKey = @\"-----BEGIN RSA PRIVATE KEY----- key ---\";\n\nvar ip = \"127.0.0.1\";\nvar user = \"rajan\";\n\nawait vaultClient.SSHWriteNamedKeyAsync(sshKeyName, privateKey, mountPoint);\nawait vaultClient.SSHWriteNamedRoleAsync(sshRoleName, new SSHOTPRoleDefinition\n{\n    RoleDefaultUser = user,\n    CIDRValues = \"127.0.0.1/10\",\n}, mountPoint);\n\nvar role = await vaultClient.SSHReadNamedRoleAsync(sshRoleName, mountPoint);\nAssert.True(role.Data.KeyTypeToGenerate == SSHKeyType.otp);\n\n```\n\n##### Generate SSH Credentials\n\n```cs\nvar credentials = await\n    vaultClient.SSHGenerateDynamicCredentialsAsync(sshRoleName, ip,\n        sshBackendMountPoint: mountPoint);\n\nAssert.Equal(user, credentials.Data.Username);\n\n```\n#### Transit Secret Backend\n\n##### Configuring a Transit Backend\n\n```cs\n// mount the backend\nvar backend = new SecretBackend\n{\n    BackendType = SecretBackendType.Transit,\n    MountPoint = \"transit\" + Guid.NewGuid(),\n};\n\nawait vaultClient.MountSecretBackendAsync(backend);\n\n// create encryption key\nvar keyName = \"test_key\" + Guid.NewGuid();\nvar context = \"context1\";\n\nvar plainText = \"raja\";\nvar encodedPlainText = Convert.ToBase64String(Encoding.UTF8.GetBytes(plainText));\n\nawait vaultClient.TransitCreateEncryptionKeyAsync(keyName, true, backend.MountPoint);\nvar keyInfo = await vaultClient.TransitGetEncryptionKeyInfoAsync(keyName, backend.MountPoint);\n\nAssert.Equal(keyName, keyInfo.Data.Name);\nAssert.True(keyInfo.Data.MustUseKeyDerivation);\nAssert.False(keyInfo.Data.IsDeletionAllowed);\n\n// configure the key\nawait vaultClient.TransitConfigureEncryptionKeyAsync(keyName, isDeletionAllowed: true, transitBackendMountPoint: backend.MountPoint);\n\nkeyInfo = await vaultClient.TransitGetEncryptionKeyInfoAsync(keyName, backend.MountPoint);\nAssert.True(keyInfo.Data.IsDeletionAllowed);\n\n```\n\n##### Encrypt/Decrypt text\n\n```cs\nvar cipherText = await vaultClient.TransitEncryptAsync(keyName, encodedPlainText, context, transitBackendMountPoint: backend.MountPoint);\n\nvar plainText2 = Encoding.UTF8.GetString(Convert.FromBase64String((await vaultClient.TransitDecryptAsync(keyName, cipherText.Data.CipherText, context, backend.MountPoint)).Data.PlainText));\n\nAssert.Equal(plainText, plainText2);\n```\n\n##### Other Transit Operations\n\n```cs\nawait vaultClient.TransitRotateEncryptionKeyAsync(keyName, backend.MountPoint);\nvar cipherText2 = await vaultClient.TransitEncryptAsync(keyName, encodedPlainText, context, transitBackendMountPoint: backend.MountPoint);\n\nAssert.NotEqual(cipherText.Data.CipherText, cipherText2.Data.CipherText);\n\nvar cipherText3 = await vaultClient.TransitRewrapWithLatestEncryptionKeyAsync(keyName, cipherText.Data.CipherText, context, backend.MountPoint);\n\nvar newKey1 = await vaultClient.TransitCreateDataKeyAsync(keyName, false, context, 128, backend.MountPoint);\nAssert.Null(newKey1.Data.PlainTextKey);\n\nnewKey1 = await vaultClient.TransitCreateDataKeyAsync(keyName, true, context, 128, backend.MountPoint);\nAssert.NotNull(newKey1.Data.PlainTextKey);\n\nawait vaultClient.TransitDeleteEncryptionKeyAsync(keyName, backend.MountPoint);\n\n```\n### Audit Backends (All of them are supported)\n\n* VaultSharp supports all the audit backends supported by the Vault Service 0.4.0\n* Here is a sample to instantiate the vault client with each of the audit backends.\n\n#### File Audit Backend\n\n```cs\n\nvar audits = (await vaultClient.GetAllEnabledAuditBackendsAsync()).ToList();\n\n// enable new file audit\nvar newFileAudit = new FileAuditBackend\n{\n    BackendType = AuditBackendType.File,\n    Description = \"store logs in a file - test cases\",\n    Options = new FileAuditBackendOptions\n    {\n        FilePath = \"/var/log/file\"\n    }\n};\n\nawait vaultClient.EnableAuditBackendAsync(newFileAudit);\n\n// get audits\nvar newAudits = (await vaultClient.GetAllEnabledAuditBackendsAsync()).ToList();\nAssert.Equal(audits.Count + 1, newAudits.Count);\n\n// hash with audit\nvar hash = await vaultClient.HashWithAuditBackendAsync(newFileAudit.MountPoint, \"testinput\");\nAssert.NotNull(hash);\n\n// disabled audit\nawait vaultClient.DisableAuditBackendAsync(newFileAudit.MountPoint);\n```\n\n#### Syslog Audit Backend\n\n```cs\n\n// enable new syslog audit\nvar newSyslogAudit = new SyslogAuditBackend\n{\n    BackendType = AuditBackendType.Syslog,\n    Description = \"syslog audit - test cases\",\n    Options = new SyslogAuditBackendOptions()\n};\n\nawait vaultClient.EnableAuditBackendAsync(newSyslogAudit);\n\n// get audits\nvar newAudits2 = (await vaultClient.GetAllEnabledAuditBackendsAsync()).ToList();\nAssert.Equal(1, newAudits2.Count);\n\n// disabled audit\nawait vaultClient.DisableAuditBackendAsync(newSyslogAudit.MountPoint);\n\n// get audits\nvar oldAudits2 = (await vaultClient.GetAllEnabledAuditBackendsAsync()).ToList();\nAssert.Equal(audits.Count, oldAudits2.Count);\n\n```\n\n### More Administrative \u0026 Other operations\n\n* VaultSharp supports all the operations supported by the Service.\n* These include administrative ones like Inititalize, Unseal, Seal etc.\n* Here are some samples.\n\n```cs\n\nawait noAuthInfoClient.InitializeAsync(5, 3, null);\nawait vaultClient.SealAsync();\n\nawait vaultClient.UnsealAsync(masterKey); // need to run this in a loop for all master keys\nawait vaultClient.UnsealQuickAsync(allMasterKeys);  // unseals the Vault in 1 shot.\n\nawait vaultClient.GetSealStatusAsync();\n\n// all policy operations\n\n// write a new policy\nvar newPolicy = new Policy\n{\n    Name = \"gubdu\",\n    Rules = \"path \\\"sys/*\\\" {  policy = \\\"deny\\\" }\"\n};\n\nawait vaultClient.WritePolicyAsync(newPolicy);\n\n// get new policy\nvar newPolicyGet = await vaultClient.GetPolicyAsync(newPolicy.Name);\nAssert.Equal(newPolicy.Rules, newPolicyGet.Rules);\n\n// write updates to a new policy\nnewPolicy.Rules = \"path \\\"sys/*\\\" {  policy = \\\"read\\\" }\";\n\nawait vaultClient.WritePolicyAsync(newPolicy);\n\n// get new policy\nnewPolicyGet = await vaultClient.GetPolicyAsync(newPolicy.Name);\nAssert.Equal(newPolicy.Rules, newPolicyGet.Rules);\n\n// delete policy\nawait vaultClient.DeletePolicyAsync(newPolicy.Name);\n\n```\n\n### Miscellaneous Features\n\n* VaultSharp supports some awesome features like quick mount, quick unseal, quick rekey etc.\n* It also supports setting Proxy settings, custom message handlers for the HttpClient.\n\n#### Quick mount, unseal and rekey methods\n\n```cs\n\n// quickly mount a secret backend\nawait vaultClient.QuickMountSecretBackendAsync(SecretBackendType.AWS);\n\n// quickly mount an auth backend\nawait vaultClient.QuickEnableAuthenticationBackendAsync(AuthenticationBackendType.GitHub);\n\n// quickly unseal Vault with a single call.\nvar sealStatus = await UnauthenticatedVaultClient.QuickUnsealAsync(AllMasterKeys);\n\n// quickly rekey Vault with a single call.\nvar quick = await UnauthenticatedVaultClient.QuickRekeyAsync(AllMasterKeys, rekeyStatus.Nonce);\n\n```\n#### Setting Proxy Settings, custom Message Handlers etc.\n\n```cs\n\nvar vaultClient = VaultClientFactory.CreateVaultClient(VaultUriWithPort, new TokenAuthenticationInfo(someToken), postHttpClientInitializeAction:\n    httpClient =\u003e\n    {\n        // set proxy or custom handlers here.\n    });\n```\n\n### In Conclusion\n\n* If the above documentation doesn't help you, feel free to create an issue or email me. https://github.com/rajanadar/VaultSharp/issues/new\n* Also, the Intellisense on IVaultClient class should help. I have tried to add a lot of documentation.\n\nHappy Coding folks!","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frajanadar%2FVaultSharp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frajanadar%2FVaultSharp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frajanadar%2FVaultSharp/lists"}