Universal secret manager for applications and CI/CD tools with CLI interface and multi-cloud support
Project description
AnySecret Library - Open Source Universal Secret Management
Open source Python library for universal secret and configuration management across all major cloud providers.
Overview
This is the core open source library that powers AnySecret.io. It provides a unified interface for secret and configuration management across AWS, Google Cloud, Azure, Kubernetes, HashiCorp Vault, and local file systems.
Key Features
- 🚀 Universal API - Single interface for all providers
- 🤖 Smart Classification - Automatic routing of secrets vs parameters
- 🔄 Multi-Cloud - AWS, GCP, Azure, K8s, Vault support
- ⚡ Async First - Built for modern Python applications
- 🛡️ Security-Focused - No logging/caching of sensitive values
- 📦 Zero Config - Auto-detects cloud environments
Quick Start
Installation
# Basic installation
pip install anysecret-io
# With cloud providers
pip install anysecret-io[aws,gcp,azure,k8s,vault]
Basic Usage
import asyncio
import anysecret
async def main():
# Auto-classification handles routing
db_password = await anysecret.get("database.password") # → Secure storage
db_host = await anysecret.get("database.host") # → Config storage
# Get all secrets for your app
config = await anysecret.get_config_manager()
secrets = await config.get_secrets_by_prefix("myapp")
asyncio.run(main())
CLI Usage
# Get secrets/parameters
anysecret get database.password
anysecret get api.timeout
# List all
anysecret list
# Bulk operations
anysecret bulk export --output .env
anysecret bulk import secrets.json
# Provider management
anysecret providers list
anysecret config validate
Architecture
Core Components
anysecret.config_manager- Main configuration manager with auto-classificationanysecret.secret_manager- Base secret manager interfaceanysecret.parameter_manager- Base parameter manager interfaceanysecret.providers.*- Cloud provider implementationsanysecret.cli.*- Command-line interface
Provider Support
| Provider | Secrets | Parameters | Status |
|---|---|---|---|
| AWS | Secrets Manager | Parameter Store | ✅ Production |
| GCP | Secret Manager | Config Connector | ✅ Production |
| Azure | Key Vault | App Configuration | ✅ Production |
| Kubernetes | Secrets | ConfigMaps | ✅ Production |
| HashiCorp Vault | KV v1/v2 | KV v1/v2 | ✅ Production |
| Encrypted Files | AES-256 | JSON/YAML | ✅ Production |
| Environment Files | .env | .env | ✅ Production |
Development
Requirements
- Python 3.10+ (3.8/3.9 support dropped for modern compatibility)
- Optional cloud provider dependencies
Setup
# Clone repository
git clone https://github.com/anysecret-io/anysecret-lib.git
cd anysecret-lib
# Create virtual environment
python -m venv venv
source venv/bin/activate
# Install development dependencies
pip install -e ".[dev,all]"
# Run tests
pytest
# Run specific test suites
python run_tests.py smoke # Quick smoke tests
python run_tests.py cli # CLI tests only
python run_tests.py unit # Unit tests only
Test Suite
- 246 passing tests across all providers and functionality
- 20 integration tests skipped (require cloud credentials)
- Comprehensive coverage of all core features
- CI/CD integration with GitHub Actions
Code Quality
# Format code
black anysecret tests
isort anysecret tests
# Type checking
mypy anysecret
# Linting
flake8 anysecret
Configuration
Environment Detection
The library automatically detects your environment and configures appropriate providers:
# AWS (auto-detected from EC2/Lambda/ECS)
import anysecret
config = await anysecret.get_config_manager() # Uses AWS Secrets Manager
# GCP (auto-detected from GCE/Cloud Run/GKE)
config = await anysecret.get_config_manager() # Uses GCP Secret Manager
# Local development
config = await anysecret.get_config_manager() # Uses .env files
Manual Configuration
from anysecret import ConfigManager
# Explicit provider configuration
config = ConfigManager({
'secret_manager': {
'type': 'aws',
'region': 'us-west-2'
},
'parameter_manager': {
'type': 'aws',
'region': 'us-west-2'
}
})
API Reference
Core Methods
# Get values with auto-classification
value = await anysecret.get(key, default=None, hint=None)
# Explicit secret retrieval
secret = await config.get_secret(key)
secret_with_meta = await config.get_secret_with_metadata(key)
# Explicit parameter retrieval
param = await config.get_parameter(key)
param_with_meta = await config.get_parameter_with_metadata(key)
# Bulk operations
secrets = await config.get_secrets_by_prefix(prefix)
all_keys = await config.list_all_keys()
# Health checks
healthy = await config.health_check()
Provider-Specific Managers
# Direct provider access
from anysecret.providers import (
AwsSecretManager,
GcpSecretManager,
AzureSecretManager,
VaultSecretManager
)
aws_manager = AwsSecretManager({'region': 'us-west-2'})
secret = await aws_manager.get_secret_with_metadata('api-key')
Security Best Practices
- Never log secrets - Library never logs sensitive values
- Use auto-classification - Reduces risk of misconfiguration
- Environment-specific configs - Different providers per environment
- Encrypted local storage - For development environments
- Regular rotation - Use provider native rotation features
Contributing
Bug Reports
- Check existing issues
- Include Python version, provider type, and error details
- Provide minimal reproduction case
Feature Requests
- Open GitHub Discussion
- Describe use case and expected behavior
- Check if it fits with existing architecture
Pull Requests
- Fork the repository
- Create feature branch from
main - Add tests for new functionality
- Ensure all tests pass:
pytest - Follow existing code style
- Update documentation if needed
License
MIT License
- ✅ Free for all users and commercial use
- ✅ Modify and distribute freely
- ✅ Use in proprietary software
- ✅ No copyleft requirements
- ✅ Private use and commercial distribution allowed
AnySecret is and will always be free and open source under the MIT license.
Links
- Documentation: docs.anysecret.io
- PyPI Package: pypi.org/project/anysecret-io
- Homepage: anysecret.io
- LLM Chat Agent: chat.anysecret.io
- Discord: discord.gg/Js9pnRuQ
- Issues: GitHub Issues
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
anysecret_io-1.2.0.tar.gz
(281.5 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
anysecret_io-1.2.0-py3-none-any.whl
(125.8 kB
view details)
File details
Details for the file anysecret_io-1.2.0.tar.gz.
File metadata
- Download URL: anysecret_io-1.2.0.tar.gz
- Upload date:
- Size: 281.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
73c01a70cefacd2b4000ef64a20282c7ebcc9ed1b5d1172b622ae07cb6e3553c
|
|
| MD5 |
28dd53657629ff7f452a19953bb2134d
|
|
| BLAKE2b-256 |
52f35a24c0244c0c4290c1ed3c568aa8bddbd744875b8d6a388ab2822a071593
|
File details
Details for the file anysecret_io-1.2.0-py3-none-any.whl.
File metadata
- Download URL: anysecret_io-1.2.0-py3-none-any.whl
- Upload date:
- Size: 125.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
957b66ac37d5b000cb42a22d637b52b80569637ffddc94d3a0783c1531698d28
|
|
| MD5 |
daaf6abcb53d44a91092d9621e215741
|
|
| BLAKE2b-256 |
578d815ceaf145f02307137a07080a476c4e65fec1a80e1804a37835cad814d8
|
