Skip to main content

Read secrets from environment variables or files

Project description

devsecrets: read secrets from environment variables or files

Linux build Windows build Code coverage report

Why?

It would be nice if a developer could check out a project and immediately run and debug it through their IDE.

For code that requires sensitive environment variables, you can't have that because that would entail checking in secrets in run configurations.

What?

devsecrets gets you just a little closer to the ideal by letting environment variables point to files containing the sensitive information.

It doesn't help with creating, securing, or distributing those files.

How?

Instead of reading os.environ directly, use devsecrets.read_secret() in your code. For instance, if accessing a DATABASE_URL variable:

from devsecrets import read_secret

DATABASE_URL = read_secret('DATABASE_URL')

In development, set the DATABASE_URL environment variable to @.secrets.

Create a .secrets file in your project's directory, containing a line like

DATABASE_URL="driver://user:pass@host/dbname"

Have your version control system ignore your .secrets file.

What about non-development environments?

Environment values that don't begin with the @-symbol are returned as-is by read_secret(), so if you already have your secrets in environment variables in production, there's no need to do anything differently.

If you do want to use secrets files in production, it probably makes sense to point to them with absolute paths.

Details

Where exactly does read_secret() look for files?

If the filename is absolute, it is used as is.

Otherwise, read_secret() discovers where the code that called it lives and starts there. Then it walks up the path all the way to the root.

What is the format of the secrets files?

By example:

# comment
KEY1 = "value" #comment
key-2="#not-a-comment"

key_3 = "multiline\r\nvalue"

Currently, values must be quoted.

This is only because, for reasons of expediency, a TOML parser is used to parse these files.

Installed code

Beware that how and where your code is installed matters because read_secrets() considers where the calling code lives. If that's in a site-packages directory under /usr/lib or ~/.local/share/virtualenvs for instance, then a .secrets file in ~/projects/myproject won't be found.

This is ordinarily not a problem because you install your code with python setup.py install --develop or pip install --editable so you run your code from the same place where you checked it out.

Installing

pip install devsecrets

Running the tests

tox

Versioning

We use SemVer for versioning releases.

License

This project is licensed under the MIT License - see the LICENSE.txt file for details

Related Projects

python-dotenv

Project details


Release history Release notifications | RSS feed

This version

0.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

devsecrets-0.1.tar.gz (4.0 kB view details)

Uploaded Source

Built Distribution

devsecrets-0.1-py3-none-any.whl (4.8 kB view details)

Uploaded Python 3

File details

Details for the file devsecrets-0.1.tar.gz.

File metadata

  • Download URL: devsecrets-0.1.tar.gz
  • Upload date:
  • Size: 4.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.21.0 setuptools/40.8.0 requests-toolbelt/0.9.1 tqdm/4.31.1 CPython/3.7.2

File hashes

Hashes for devsecrets-0.1.tar.gz
Algorithm Hash digest
SHA256 986b18fe60b8cecea3f9d6d7a0517722aaf23ca4f481494f08ae311ca6667e48
MD5 b526168a57027656775811febae0af7a
BLAKE2b-256 a8e12c3bf0fd76fef84ce828c6c8613c3b6149039a28929c10aac7581e3ad74f

See more details on using hashes here.

File details

Details for the file devsecrets-0.1-py3-none-any.whl.

File metadata

  • Download URL: devsecrets-0.1-py3-none-any.whl
  • Upload date:
  • Size: 4.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.21.0 setuptools/40.8.0 requests-toolbelt/0.9.1 tqdm/4.31.1 CPython/3.7.2

File hashes

Hashes for devsecrets-0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 7d1423717cae4f0724cb31e9f0acff3c5d4633dafa425353f2f94f60adc09e07
MD5 bdc10e59e083aabd32eb78d055b6ea71
BLAKE2b-256 8ae84b60bc2559f6b02cdd48295156e432fa0c8b17e11a608864af0e865d1334

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page