Securely load environment variables from AWS SSM Parameter Store or Azure Key Vault.

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for macalbert from gravatar.com macalbert

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: macalbert
  • Tags aws , azure , envilder , environment , keyvault , secrets , ssm
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

Envilder Python SDK

Coverage Report PyPI version MIT License

Securely load environment variables from AWS SSM Parameter Store or Azure Key Vault directly into your Python application. Zero vendor lock-in — secrets stay in your cloud.

Part of the Envilder project.

Prerequisites

  • Python 3.10+
  • AWS provider: AWS credentials configured (CLI, environment variables, or IAM role)
  • Azure provider: Azure credentials via az login, managed identity, or environment variables

Install

uv add envilder
# or
pip install envilder

Quick Start

One-liner

from envilder import Envilder

# Resolve secrets and inject into os.environ
Envilder.load('secrets-map.json')

import os
print(os.environ['DB_PASSWORD'])

Resolve without injecting

from envilder import Envilder

secrets = Envilder.resolve_file('secrets-map.json')
print(secrets['DB_PASSWORD'])

Fluent builder (with overrides)

Override the map file's $config at runtime — useful for switching providers, profiles, or vault URLs per environment:

from envilder import Envilder, SecretProviderType

# Override provider + vault URL
secrets = (
    Envilder.from_file('secrets-map.json')
    .with_provider(SecretProviderType.AZURE)
    .with_vault_url('https://my-vault.vault.azure.net')
    .resolve()
)

# Override AWS profile and inject
(
    Envilder.from_file('secrets-map.json')
    .with_profile('staging')
    .inject()
)

Environment-based loading

Route secret loading based on your current environment. Each environment maps to its own secrets file (or None to skip loading):

from envilder import Envilder
import os

env = os.getenv('APP_ENV', 'development')

# Resolve + inject into os.environ
Envilder.load(env, {
    'production': 'prod-secrets.json',
    'development': 'dev-secrets.json',
    'test': None,  # no secrets loaded
})

Resolve without injecting:

secrets = Envilder.resolve_file(env, {
    'production': 'prod-secrets.json',
    'development': 'dev-secrets.json',
    'test': None,
})

Behaviour:

  • If the environment maps to a file path, secrets are loaded from that file.
  • If the environment maps to None or is not in the mapping, an empty dict is returned silently — no errors, no output.
  • The environment name is stripped of leading/trailing whitespace before lookup.
  • Empty or whitespace-only environment names raise ValueError.

Advanced usage

For full control over parsing, provider creation, and secret resolution:

from envilder import (
    EnvilderClient,
    EnvilderOptions,
    MapFileParser,
    SecretProviderFactory,
    SecretProviderType,
)

with open('secrets-map.json', encoding='utf-8') as file:
    json_content = file.read()
map_file = MapFileParser().parse(json_content)

# Optional: override config at runtime
options = EnvilderOptions(
    provider=SecretProviderType.AZURE,
    vault_url='https://my-vault.vault.azure.net',
)
provider = SecretProviderFactory.create(map_file.config, options)

client = EnvilderClient(provider)
secrets = client.resolve_secrets(map_file)

EnvilderClient.inject_into_environment(secrets)

Map File Format

{
  "$config": {
    "provider": "aws",
    "profile": "my-profile"
  },
  "DB_PASSWORD": "/app/prod/db-password",
  "API_KEY": "/app/prod/api-key"
}

Supported providers: aws (default), azure.

For Azure, add vaultUrl:

{
  "$config": {
    "provider": "azure",
    "vaultUrl": "https://my-vault.vault.azure.net"
  },
  "DB_PASSWORD": "db-password",
  "API_KEY": "api-key"
}

Links

License

MIT

Development

Setup

# From the repo root
make install-sdk-python

Quality checks

make check-sdk-python    # black + isort + mypy (no changes)
make format-sdk-python   # auto-format

Running tests

Unit tests run without any external dependencies:

cd tests/sdks/python
python -m pytest -v -m "not acceptance"

Acceptance tests require Docker and a LocalStack auth token:

export LOCALSTACK_AUTH_TOKEN=<your-token>
cd tests/sdks/python
python -m pytest -v -m acceptance

All tests:

make test-sdk-python

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for macalbert from gravatar.com macalbert

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: macalbert
  • Tags aws , azure , envilder , environment , keyvault , secrets , ssm
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

0.3.2

0.3.1

This version

0.3.0

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

envilder-0.3.0.tar.gz (74.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

envilder-0.3.0-py3-none-any.whl (13.1 kB view details)

Uploaded Python 3

File details

Details for the file envilder-0.3.0.tar.gz.

File metadata

  • Download URL: envilder-0.3.0.tar.gz
  • Upload date:
  • Size: 74.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for envilder-0.3.0.tar.gz
Algorithm Hash digest
SHA256 bfcf0da28459276fc41d2ab8dceeb65156a1c3a4e1824e4743554d99df3d020b
MD5 4bf300bbcc19dbe0a86b5a1ce1bb3fcf
BLAKE2b-256 f497a618c1ba0b73cb4e3579a308e3d627681117f3240fd28772780d2a7f5807

See more details on using hashes here.

Provenance

The following attestation bundles were made for envilder-0.3.0.tar.gz:

Publisher: publish-pypi.yml on macalbert/envilder

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file envilder-0.3.0-py3-none-any.whl.

File metadata

  • Download URL: envilder-0.3.0-py3-none-any.whl
  • Upload date:
  • Size: 13.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for envilder-0.3.0-py3-none-any.whl
Algorithm Hash digest
SHA256 be6116213f742eddca111e75b4b0c5ec2c5a8b1db36126abd3d75f1c5a62195d
MD5 975634bf9db169a8990ecbeb9da1dfaf
BLAKE2b-256 2a92cf87fd1c3b71e233071db5f92a9d768a616926af7942c8c5ba738175deeb

See more details on using hashes here.

Provenance

The following attestation bundles were made for envilder-0.3.0-py3-none-any.whl:

Publisher: publish-pypi.yml on macalbert/envilder

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page