Skip to main content

Lightweight API to store/retrieve secrets to/from an encrypted Database

Project description

VaultAPI

Lightweight API to store/retrieve secrets to/from an encrypted Database

VaultAPI is designed to be extremely lightweight, secure, and easy to use. It provides cutting edge security features like AES encryption, IP-based access control, and rate limiting all out of the box. It also includes transit encryption to ensure that the secrets are encrypted during transit to protect against man-in-the-middle attacks.

Python

Platform Supported

Platform docker-image

Deployments

docker pypi

markdown pages

Pypi Pypi-format Pypi-status

Kick off

Recommendations

Install VaultAPI

python -m pip install vaultapi

Initiate - IDE

import vaultapi.server

if __name__ == '__main__':
    vaultapi.server.start()

Initiate - CLI

vaultapi start

Use vaultapi --help for usage instructions.

Environment Variables

Sourcing environment variables from an env file

By default, VaultAPI will look for a .env file in the current working directory.

Mandatory

  • APIKEY - API Key for authentication.
  • SECRET - Secret access key to encode/decode the secrets in Datastore.

Optional (with defaults)

  • TRANSIT_KEY_LENGTH - AES key length for transit encryption. Defaults to 32
  • TRANSIT_TIME_BUCKET - Interval for which the transit epoch should remain constant. Defaults to 60
  • DATABASE - FilePath to store the secrets' database. Defaults to secrets.db
  • HOST - Hostname for the API server. Defaults to 0.0.0.0 [OR] localhost
  • PORT - Port number for the API server. Defaults to 9010
  • WORKERS - Number of workers for the uvicorn server. Defaults to 1
  • RATE_LIMIT - List of dictionaries with max_requests and seconds to apply as rate limit. Defaults to 5req/2s [AND] 10req/30s
  • ALLOW_PUBLIC_IP - Boolean flag to allow connections via public IP. Defaults to false
  • ALLOW_PRIVATE_IP - Boolean flag to allow connections via private IP. Defaults to false
  • ALLOW_PRIVATE_IP_RANGE - Boolean flag to allow connections via any private IP address (1-256) within range. Defaults to false

Optional (without defaults)

  • LOG_CONFIG - FilePath or dictionary of key-value pairs for log config.
  • ALLOWED_ORIGINS - Origins that are allowed to retrieve secrets.
  • ALLOWED_IP_RANGE - IP range that is allowed to retrieve secrets. (eg: 10.112.8.10-210)

Optional (UI integration)

  • ENABLE_UI - Boolean flag to enable the UI. Defaults to false
  • TOTP_TOKEN - Secret token for TOTP authentication in the UI. Can be generated using any TOTP generator app like Google Authenticator or Authy.
  • UI_LIFETIME - Time in seconds for which the UI session should remain active. Defaults to 900 (15 minutes)

Checkout decryptors for more information about decrypting the retrieved secret from the server.

Auto generate a SECRET value

This value will be used to encrypt/decrypt the secrets stored in the database.

CLI

vaultapi keygen

IDE

from cryptography.fernet import Fernet
print(Fernet.generate_key())

API Functionality

Endpoint Description API method
/health API health endpoint GET
/get-secret Retrieve secrets (comma separated list) GET
/get-table Get ALL the secrets stored in a table GET
/list-tables List all available tables GET
/put-secret Store or update a secret (key-value pairs) PUT
/delete-secret Delete a specific secret DELETE
/create-table Create a new table POST
/delete-table Deletes an existing table DELETE

Coding Standards

Docstring format: Google
Styling conventions: PEP 8 and isort

Release Notes

Requirement

python -m pip install gitverse

Usage

gitverse-release reverse -f release_notes.rst -t 'Release Notes'

Linting

pre-commit will ensure linting, run pytest, generate runbook & release notes, and validate hyperlinks in ALL markdown files (including Wiki pages)

Requirement

python -m pip install sphinx==5.1.1 pre-commit recommonmark

Usage

pre-commit run --all-files

Pypi Package

pypi-module

https://pypi.org/project/VaultAPI/

Docker Image

made-with-docker-doc

https://hub.docker.com/r/thevickypedia/vaultapi

Runbook

made-with-sphinx-doc

https://thevickypedia.github.io/VaultAPI/

License & copyright

© Vignesh Rao

Licensed under the MIT License

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

vaultapi-0.4.0b1-py3-none-any.whl (40.5 kB view details)

Uploaded Python 3

File details

Details for the file vaultapi-0.4.0b1-py3-none-any.whl.

File metadata

  • Download URL: vaultapi-0.4.0b1-py3-none-any.whl
  • Upload date:
  • Size: 40.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.13

File hashes

Hashes for vaultapi-0.4.0b1-py3-none-any.whl
Algorithm Hash digest
SHA256 84ed9c616355f20e2a959c6d52c122bf3934f538ead3beeb03aee453d08511e3
MD5 2d821c1610e3c782ad3241f1d369f5ed
BLAKE2b-256 58152a4471b1a3b087e84dab7594f5a076367543a501262ca8f3e2f3ebe441b9

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page