Securely load environment variables from AWS SSM Parameter Store or Azure Key Vault.

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for macalbert from gravatar.com macalbert

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: macalbert
  • Tags aws , azure , envilder , environment , keyvault , secrets , ssm
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

Envilder Python SDK

Coverage Report PyPI version MIT License

Securely load environment variables from AWS SSM Parameter Store or Azure Key Vault directly into your Python application. Zero vendor lock-in — secrets stay in your cloud.

Part of the Envilder project.

Prerequisites

  • Python 3.10+
  • AWS provider: AWS credentials configured (CLI, environment variables, or IAM role)
  • Azure provider: Azure credentials via az login, managed identity, or environment variables

Install

uv add envilder
# or
pip install envilder

Quick Start

One-liner

from envilder import Envilder

# Resolve secrets and inject into os.environ
Envilder.load('secrets-map.json')

import os
print(os.environ['DB_PASSWORD'])

Resolve without injecting

from envilder import Envilder

secrets = Envilder.resolve_file('secrets-map.json')
print(secrets['DB_PASSWORD'])

Fluent builder (with overrides)

Override the map file's $config at runtime — useful for switching providers, profiles, or vault URLs per environment:

from envilder import Envilder, SecretProviderType

# Override provider + vault URL
secrets = (
    Envilder.from_file('secrets-map.json')
    .with_provider(SecretProviderType.AZURE)
    .with_vault_url('https://my-vault.vault.azure.net')
    .resolve()
)

# Override AWS profile and inject
(
    Envilder.from_file('secrets-map.json')
    .with_profile('staging')
    .inject()
)

Environment-based loading

Route secret loading based on your current environment. Each environment maps to its own secrets file (or None to skip loading):

from envilder import Envilder
import os

env = os.getenv('APP_ENV', 'development')

# Resolve + inject into os.environ
Envilder.load(env, {
    'production': 'prod-secrets.json',
    'development': 'dev-secrets.json',
    'test': None,  # no secrets loaded
})

Resolve without injecting:

secrets = Envilder.resolve_file(env, {
    'production': 'prod-secrets.json',
    'development': 'dev-secrets.json',
    'test': None,
})

Behaviour:

  • If the environment maps to a file path, secrets are loaded from that file.
  • If the environment maps to None or is not in the mapping, an empty dict is returned silently — no errors, no output.
  • The environment name is stripped of leading/trailing whitespace before lookup.
  • Empty or whitespace-only environment names raise ValueError.

Advanced usage

For full control over parsing, provider creation, and secret resolution:

from envilder import (
    EnvilderClient,
    EnvilderOptions,
    MapFileParser,
    SecretProviderFactory,
    SecretProviderType,
)

with open('secrets-map.json', encoding='utf-8') as file:
    json_content = file.read()
map_file = MapFileParser().parse(json_content)

# Optional: override config at runtime
options = EnvilderOptions(
    provider=SecretProviderType.AZURE,
    vault_url='https://my-vault.vault.azure.net',
)
provider = SecretProviderFactory.create(map_file.config, options)

client = EnvilderClient(provider)
secrets = client.resolve_secrets(map_file)

EnvilderClient.inject_into_environment(secrets)

Map File Format

{
  "$config": {
    "provider": "aws",
    "profile": "my-profile"
  },
  "DB_PASSWORD": "/app/prod/db-password",
  "API_KEY": "/app/prod/api-key"
}

Supported providers: aws (default), azure.

For Azure, add vaultUrl:

{
  "$config": {
    "provider": "azure",
    "vaultUrl": "https://my-vault.vault.azure.net"
  },
  "DB_PASSWORD": "db-password",
  "API_KEY": "api-key"
}

Links

License

MIT

Development

Setup

# From the repo root
make install-sdk-python

Quality checks

make check-sdk-python    # black + isort + mypy (no changes)
make format-sdk-python   # auto-format

Running tests

Unit tests run without any external dependencies:

cd tests/sdks/python
python -m pytest -v -m "not acceptance"

Acceptance tests require Docker and a LocalStack auth token:

export LOCALSTACK_AUTH_TOKEN=<your-token>
cd tests/sdks/python
python -m pytest -v -m acceptance

All tests:

make test-sdk-python

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for macalbert from gravatar.com macalbert

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: macalbert
  • Tags aws , azure , envilder , environment , keyvault , secrets , ssm
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

0.3.2

This version

0.3.1

0.3.0

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

envilder-0.3.1.tar.gz (74.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

envilder-0.3.1-py3-none-any.whl (13.1 kB view details)

Uploaded Python 3

File details

Details for the file envilder-0.3.1.tar.gz.

File metadata

  • Download URL: envilder-0.3.1.tar.gz
  • Upload date:
  • Size: 74.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for envilder-0.3.1.tar.gz
Algorithm Hash digest
SHA256 96b6cf901e2658ab3bca64883c1fdbff498ad15f7378fc1c95dbd58f2d770152
MD5 c12a276d58af55d727c0cc963852c3a5
BLAKE2b-256 97a8cb8aaf9294d602a9805802593e40e6dbc4b1b6af5f227c3e1e8041e63b94

See more details on using hashes here.

Provenance

The following attestation bundles were made for envilder-0.3.1.tar.gz:

Publisher: publish-pypi.yml on macalbert/envilder

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file envilder-0.3.1-py3-none-any.whl.

File metadata

  • Download URL: envilder-0.3.1-py3-none-any.whl
  • Upload date:
  • Size: 13.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for envilder-0.3.1-py3-none-any.whl
Algorithm Hash digest
SHA256 5cc1458dc7d4d5e68acd5bdbce564e9303de0f0bfd95667263ed8e679e0693f2
MD5 dac8e9cbc937d5b140def5ca4ee4fe57
BLAKE2b-256 9bebde343c9b87d9c11407408dd2131d2e3cdc136bed9f2778065fed1d7b14a4

See more details on using hashes here.

Provenance

The following attestation bundles were made for envilder-0.3.1-py3-none-any.whl:

Publisher: publish-pypi.yml on macalbert/envilder

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page