Vault is a high-security store for secret tokens, credentials, and other sensitive information. HVAC is a Python client library for Vault.


The SecretsStore handles the most common use case of Vault in a Baseplate application: secure retrieval of secret tokens. This client is only necessary when taking advantage of more advanced features of Vault such as the Transit backend or Cubbyholes. If these don’t sound familiar, check out the secrets store before digging in here.


To integrate HVAC with your application, add the appropriate client declaration to your context configuration:

      "foo": HvacClient(),

configure it in your application’s configuration file:



# optional: how long to wait for calls to vault
foo.timeout = 300 milliseconds


and then use it in request:

def my_method(request):

See HVAC’s README for documentation on the methods available from its client.


class baseplate.clients.hvac.HvacClient(secrets)[source]

Configure an HVAC client.

This is meant to be used with baseplate.Baseplate.configure_context().

See hvac_factory_from_config() for available configuration settings.

Parameters:secrets (SecretsStore) – The configured secrets store for this application.
baseplate.clients.hvac.hvac_factory_from_config(app_config, secrets_store, prefix='vault.')[source]

Make an HVAC client factory from a configuration dictionary.

The keys useful to hvac_factory_from_config() should be prefixed, e.g. vault.timeout. The prefix argument specifies the prefix used to filter keys.

Supported keys:

  • timeout: How long to wait for calls to Vault.
  • app_config (Dict[str, str]) – The raw application configuration.
  • secrets_store (SecretsStore) – A configured secrets store from which we can get a Vault authentication token.
  • prefix (str) – The prefix for configuration keys.
Return type:



class baseplate.clients.hvac.HvacContextFactory(secrets_store, timeout)[source]

HVAC client context factory.

This factory will attach a proxy object which acts like an hvac.Client to an attribute on the RequestContext. All methods that talk to Vault will be automatically instrumented for tracing and diagnostic metrics.

make_object_for_context(name, span)[source]

Return an object that can be added to the context object.

  • name (str) – The name assigned to this object on the context.
  • span (Span) – The current span this object is being made for.
Return type: