Resolve env vars from secret stores.
Project description
envresolve
Resolve environment variables from secret stores like Azure Key Vault.
Features
- Variable expansion: Expand
${VAR}and$VARsyntax in strings - Secret resolution: Fetch secrets from Azure Key Vault (more providers coming)
- Circular reference detection: Prevents infinite loops in variable chains
- Type-safe: Full mypy type checking support
Quick Start
Variable Expansion
Expand variables without connecting to external services:
from envresolve import expand_variables
env = {"VAULT": "corp-kv", "SECRET": "db-password"}
result = expand_variables("akv://${VAULT}/${SECRET}", env)
print(result) # akv://corp-kv/db-password
Load from .env File
Load environment variables from a .env file with automatic secret resolution:
import envresolve
# .env file content:
# VAULT_NAME=my-vault
# DATABASE_URL=akv://${VAULT_NAME}/db-url
# API_KEY=akv://${VAULT_NAME}/api-key
# Requires: pip install envresolve[azure]
# Requires: Azure authentication (az login, Managed Identity, etc.)
envresolve.register_azure_kv_provider()
# Load .env and resolve all secret URIs
# By default, exports to os.environ
resolved_vars = envresolve.load_env(".env")
# Or load without exporting
resolved_vars = envresolve.load_env(".env", export=False)
Direct Secret Resolution
Fetch individual secrets from Azure Key Vault:
import envresolve
# Requires: pip install envresolve[azure]
# Requires: Azure authentication (az login, Managed Identity, etc.)
try:
envresolve.register_azure_kv_provider()
secret_value = envresolve.resolve_secret("akv://corp-vault/db-password")
print(secret_value)
except envresolve.ProviderRegistrationError as e:
print(f"Azure SDK not available: {e}")
except envresolve.SecretResolutionError as e:
print(f"Failed to fetch secret: {e}")
Installation
# Basic installation (variable expansion only)
pip install envresolve
# With Azure Key Vault support
pip install envresolve[azure]
Documentation
Full documentation: https://osoekawaitlab.github.io/envresolve/
Development
Setup
This project uses uv for dependency management and nox for task automation:
# Install uv (if not already installed)
pip install uv
# Clone the repository
git clone https://github.com/osoekawaitlab/envresolve.git
cd envresolve
# Install dependencies (including dev dependencies)
uv pip install -e ".[azure]" --group=dev
Running Tests
# Quick test during development
nox -s tests_unit # Unit tests only (fast)
nox -s tests_e2e # E2E tests with mocked Azure SDK
# Full test suite
nox -s tests # All tests with coverage report (HTML in htmlcov/)
# Test across Python versions
nox -s tests_all_versions # Test on Python 3.10-3.14
# Test without Azure SDK
nox -s tests_without_azure # For environments without Azure dependencies
Code Quality
# Run all quality checks
nox -s quality # Type checking (mypy) + linting (ruff)
# Individual checks
nox -s mypy # Type checking only
nox -s lint # Linting only
nox -s format_code # Auto-format code
# Run everything
nox -s check_all # Tests + quality checks
Live Azure Tests
Optional integration tests against real Azure Key Vault:
# One-time setup
cd infra/terraform
cp terraform.tfvars.example terraform.tfvars
# Edit terraform.tfvars with your Azure credentials
terraform init
terraform apply
# Before running tests
az login
source scripts/setup_live_tests.sh
# Run live tests
nox -s tests_live
See Live Azure Tests documentation for detailed setup instructions.
Build Documentation
# Build documentation
nox -s docs_build
# Serve documentation locally (with live reload)
nox -s docs_serve # Open http://localhost:8000
Project Structure
src/envresolve/
├── api.py # Public API (load_env, resolve_secret, etc.)
├── exceptions.py # Custom exception hierarchy
├── models.py # Pydantic data models
├── services/ # Core business logic
│ ├── expansion.py # Variable expansion with cycle detection
│ └── reference.py # URI parsing and validation
├── providers/ # Secret provider implementations
│ ├── base.py # Provider protocol/ABC
│ └── azure_kv.py # Azure Key Vault provider
└── application/ # Application orchestration
├── expanders.py # Expander implementations
└── resolver.py # Resolution orchestration
tests/
├── unit/ # Unit tests (fast, isolated)
├── e2e/ # E2E tests (mocked Azure SDK)
└── live/ # Live tests (real Azure resources)
docs/
├── adr/ # Architecture Decision Records
├── user-guide/ # User documentation
└── developer-guide/ # Development documentation
Contributing
See Contributing Guide for guidelines on:
- Code style and conventions
- Test-driven development workflow
- Creating issues and pull requests
- Architecture Decision Records (ADRs)
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
envresolve-0.1.2.tar.gz
(14.3 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file envresolve-0.1.2.tar.gz.
File metadata
- Download URL: envresolve-0.1.2.tar.gz
- Upload date:
- Size: 14.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.11
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7eb69f22fbdef15422e2392c88335125ea02232618eceaca97ddf72704bdcce0
|
|
| MD5 |
531920757bdbb03ca21e73013958929b
|
|
| BLAKE2b-256 |
a6a98478763932a868402c30fd084eb1787cd5e250308321a6d98861b7699e1a
|
File details
Details for the file envresolve-0.1.2-py3-none-any.whl.
File metadata
- Download URL: envresolve-0.1.2-py3-none-any.whl
- Upload date:
- Size: 15.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.11
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d9ff924d255e664f18a7ce6540ea02be13fb6b9d43c353cad600f793e8144939
|
|
| MD5 |
611820c49f8c9f63777d907019569ebe
|
|
| BLAKE2b-256 |
146f9d3dde91a3d559f3a9e426c8468a1a2a3b1fe49e2b2c6dc3be0d248b855f
|
