StackStorm-Exchange · nzlosh · May 19, 2026 · May 19, 2026 · May 20, 2026
@@ -17,22 +17,21 @@ jobs:
     strategy:
       matrix:
         include:
-          - python-version-short: "3.8"
-            python-version: 3.8.18
-            vault-version: "1.12.5-1"
-            hvac-gh-tag: "v1.1.1"
           - python-version-short: "3.9"
             python-version: 3.9.21
-            vault-version: "1.12.5-1"
-            hvac-gh-tag: "v1.1.1"
+            consul-version: "1.22.7-1"
+            vault-version: "2.0.0-1"
+            hvac-gh-tag: "v2.4.0"
           - python-version-short: "3.10"
             python-version: 3.10.16
-            vault-version: "1.12.5-1"
-            hvac-gh-tag: "v1.1.1"
+            consul-version: "1.22.7-1"
+            vault-version: "2.0.0-1"
+            hvac-gh-tag: "v2.4.0"
           - python-version-short: "3.11"
             python-version: 3.11.11
-            vault-version: "1.12.5-1"
-            hvac-gh-tag: "v1.1.1"
+            consul-version: "1.22.7-1"
+            vault-version: "2.0.0-1"
+            hvac-gh-tag: "v2.4.0"
     steps:
       - name: Checkout Pack Repo and CI Repos
         uses: StackStorm-Exchange/ci/.github/actions/checkout@master
@@ -63,20 +62,7 @@ jobs:
         working-directory: pack
         shell: bash
         run: |
-          wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/hashicorp.gpg
-          echo "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main" \
-            | sudo tee /etc/apt/sources.list.d/hashicorp.list
-
-          sudo apt update \
-            -o Dir::Etc::sourceparts="-" \
-            -o APT::Get::List-Cleanup="0" \
-            -o Dir::Etc::sourcelist="sources.list.d/hashicorp.list"
-
-          sudo apt install consul vault=${{ matrix.vault-version }}
-
-          # We disble cap_ipc_lock here as its generally incompatabile with GitHub
-          # Actions' runtime environments.
-          sudo setcap cap_ipc_lock= /usr/bin/vault
+          ${ROOT_DIR}/tests/scripts/install_vault ${{ matrix.vault-version }} ${{ matrix.consul-version }}
 
       - name: Setup hvac symlinks
         shell: bash

@@ -1,5 +1,10 @@
 # Change Log
 
+## 3.0.0
+
+- Removed pinning of hvac to support Python version >= 3.9 and add the sys.wrap/sys.unwrap methods.
+- Added wrap/unwrap actions
+
 ## 2.1.0
 
 - Support mount_point parameter for profiles config.

@@ -0,0 +1,13 @@
+from lib import action
+import hvac
+
+
+class VaultUnwrapSecretAction(action.VaultBaseAction):
+    def run(self, token, profile_name=None):
+        super().run(profile_name=profile_name)
+        try:
+            resp = self.vault.sys.unwrap(token)
+        except hvac.exceptions.InvalidRequest as e:
+            return (False, f"{e}")
+
+        return (True, resp)
@@ -0,0 +1,17 @@
+---
+name: unwrap_secret
+runner_type: python-script
+description: "Read secret from Vault Wrap engine"
+enabled: true
+entry_point: "unwrap_secret.py"
+parameters:
+  profile_name:
+    type: "string"
+    description: "The profile to use to run this action."
+    required: false
+  token:
+    type: "string"
+    description: "Wrap token to unwrap"
+    required: true
+    secret: true
+    position: 0
@@ -0,0 +1,8 @@
+from lib import action
+
+
+class VaultWrapSecretAction(action.VaultBaseAction):
+    def run(self, secret, ttl, profile_name=None):
+        super().run(profile_name=profile_name)
+        resp = self.vault.sys.wrap(payload=secret, ttl=ttl)
+        return (True, resp)
@@ -0,0 +1,23 @@
+---
+name: wrap_secret
+runner_type: python-script
+description: "Write a secret to the Vault Wrap engine"
+enabled: true
+entry_point: "wrap_secret.py"
+parameters:
+  profile_name:
+    type: "string"
+    description: "The profile to use to run this action."
+    required: false
+  ttl:
+    type: "integer"
+    description: "Time-To-Live before the wrap token expires (Default: 300 seconds)"
+    default: 300
+    required: false
+    position: 1
+  secret:
+    type: "object"
+    description: 'Dictionary with secret {"key": "value", "key2": "value2"}'
+    required: true
+    secret: true
+    position: 0
@@ -2,7 +2,7 @@
 ref: vault
 name: vault
 description: StackStorm pack integration with HashiCorp Vault
-version: 2.1.0
+version: 3.0.0
 python_versions:
   - "3"
 author: steve.neuharth

@@ -1 +1 @@
-hvac>=1.1.0,<2.0.0
+hvac
@@ -0,0 +1,44 @@
+#!/bin/bash
+
+set -eux
+
+# Installing consul and vault in the CI/CD environment is complex.  That
+# complexity is now wrapped inside this shell script for a clearer CI/CD YAML.
+
+VAULT_VERSION="$1"
+CONSUL_VERSION="$2"
+
+wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/hashicorp.gpg
+sudo tee /etc/apt/sources.list.d/hashicorp.list <<<"deb [arch=amd64, signed-by=/etc/apt/trusted.gpg.d/hashicorp.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
+
+sudo apt update -o Dir::Etc::sourceparts="-" -o APT::Get::List-Cleanup="0" -o Dir::Etc::sourcelist="sources.list.d/hashicorp.list"
+sudo apt install consul=${CONSUL_VERSION} vault=${VAULT_VERSION}
+
+# We disble cap_ipc_lock here as its generally incompatabile with GitHub
+# Actions' runtime environments.
+sudo setcap cap_ipc_lock= /usr/bin/vault
+
+# Consul needs to be explicitly configured to start in the CI/CD environment.
+sudo mkdir -p /srv/consul && sudo chown -R consul:consul /srv/consul
+
+sudo tee /etc/consul.d/consul.hcl >/dev/null <<EOF
+enable_debug = false
+datacenter = "cicd"
+data_dir = "/srv/consul"
+ui_config{
+enabled = false
+}
+server = true
+bind_addr = "127.0.0.1"
+client_addr = "127.0.0.1"
+advertise_addr = "127.0.0.1"
+retry_join = ["localhost"]
+bootstrap_expect = 0
+encrypt = "katpv2wgyY5Za8bGAHh7+URaeLJWh4g+gK0GBjmvQXA="
+EOF
+
+sudo systemctl restart consul
+sudo systemctl restart vault
+
+# Initialise and unseal vault
+vault init
@@ -1,6 +1,6 @@
 from st2tests.base import BaseActionTestCase
 
-from tests.utils import get_config_file_path
+# #from tests.utils import get_config_file_path
 from tests.utils.hvac_integration_test_case import HvacIntegrationTestCase
 
 
@@ -59,7 +59,9 @@ def tearDown(self):
 
     def build_dummy_pack_config(self, url="https://localhost:8200"):
         # based on create_client() in hvac/tests/utils/__init__.py
-        server_cert_path = get_config_file_path("server-cert.pem")
+        # CI/CD only has a self-signed cert.
+        # #server_cert_path = get_config_file_path("server-cert.pem")
+        server_cert_path = False
 
         token_result = self.client.auth.token.create(ttl=self.default_token_lease)
         token = token_result["auth"]["client_token"]