dj-db-rotated-secret 0.1.0

AWS Secrets has a auto-rotation feature, but Django doesn't support it out of the box. This package provides a way to rotate the secret in Django settings.

DJ DB Rotated Secret

AWS Secrets auto-rotation will cause a password authentication failure in Django that is unhandled.

This is a low level wrapper around Django's _cursor and connect db functions to handle and and allow graceful rotation.

WARNING

This is very much an alpha release. Jenfi uses it in production, but it is entirely suited to our needs. PRs welcome to expand the capabilities.

Things to Know

• Postgres only via psycopg 2 & 3

• It is a monkey patch and can only be added via installed_apps.

  • i.e. if a password gets rotated after django loads but before this library gets loaded while another app makes a DB connection, the password error won't get caught. Extremely narrow window.

• This library does not know/care about how to obtain the updated password. Simply tell it a function path to run and it will call it assuming a return dict of:

  {
    "username": "...",
    "password": "...",
  }
  

Install

1. poetry add dj-db-rotated-secret

2. Add to installed apps, below django and above other apps.

       INSTALLED_APPS = [
         ...
         "dj_db_rotated_secret",
         ...
       ]
   

3. Declare a function to run when password auth fails:

       DJ_DB_ROTATED_SECRET_FUNC = "path.to.function"
   

Function Info

• The function takes no arguments.
• The function must return a dictionary with the keys username and password.

Development

• Uses poetry

Running Tests

Run psycopg2 and psycopg3 in isolation (like ci does):

1. Run docker compose up
2. Run chmod +x run_tests.sh
3. Run ./run_tests.sh