A package to read secrets from Hashicorp vault or from a local file
Project description
getSecrets
A Python package for securely retrieving secrets from HashiCorp Vault or local configuration files.
Features
- Simple API: Easy-to-use functions for retrieving secrets
- Flexible Storage: Works with HashiCorp Vault or local YAML configuration files
- Multiple Retrieval Methods: Get complete secrets, username/password pairs, or list available secrets
- Update Support: Update existing secrets in Vault
- Secure by Default: Automatic certificate validation with intelligent fallback
- Repository Support: Work with multiple secret repositories
Installation
Install from PyPI:
pip install get-hc-secrets
Or install from source:
git clone https://github.com/yourusername/getSecrets.git
cd getSecrets
pip install -e .
Quick Start
Configuration
Create a configuration file at ~/.config/.vault/vault.yml:
vault:
token: "your-vault-token"
vault_addr: "https://vault.example.com:8200"
certs: "~/path/to/bundle.pem"
# Optional: Local secrets for development
local-db:
host: localhost
port: 5432
username: dev_user
password: dev_password
Basic Usage
from getSecrets import get_secret, get_user_pwd, list_secret, upd_secret
# Retrieve a complete secret
database_config = get_secret('my-database-config')
print(database_config)
# {'host': 'db.example.com', 'port': 5432, 'database': 'myapp'}
# Retrieve username and password
username, password = get_user_pwd('postgres-credentials')
# List all secrets in a repository
secrets = list_secret('secret')
print(secrets)
# ['database-config', 'api-keys', 'admin-credentials']
# Update a secret
new_data = {'host': 'new-db.example.com', 'port': 5432}
status = upd_secret('my-database-config', new_data)
Working with Custom Repositories
# Retrieve from a custom repository
api_keys = get_secret('api-credentials', repo='production-secrets')
# Update in custom repository
upd_secret('api-credentials', new_data, repo='production-secrets')
API Reference
get_secret(id, repo='secret')
Retrieves a complete secret as a dictionary.
Parameters:
id(str): The ID of the secret to retrieverepo(str, optional): The repository name (default: 'secret')
Returns: dict - Key-value pairs from the secret, or empty dict on error
get_user_pwd(id, repo='secret')
Retrieves username and password from a secret.
Parameters:
id(str): The ID of the secret to retrieverepo(str, optional): The repository name (default: 'secret')
Returns: tuple - (username, password) or (None, None) if not found
list_secret(repo='secret')
Lists all available secret IDs in a repository.
Parameters:
repo(str, optional): The repository name (default: 'secret')
Returns: list - List of secret IDs
upd_secret(id, data, repo='secret')
Updates an existing secret with new data.
Parameters:
id(str): The ID of the secret to updatedata(dict): The new data to storerepo(str, optional): The repository name (default: 'secret')
Returns: int - HTTP status code (200 on success)
Certificate Configuration
For secure communication with Vault, create a bundle.pem file containing (in order):
- Vault certificate
- Intermediate certificate
- Root certificate
Note:
- For public networks: The package automatically uses system certificates via certifi
- For internal networks (192.168.x.x): Custom certificates from config are used
- If no certificates are found: Works in insecure mode (not recommended for production)
Configuration File Locations
The package searches for configuration in the following order:
~/.config/.vault/vault.yml/etc/vault/vault.yml
Documentation
Full documentation is available at: https://getsecrets.readthedocs.io
Examples
Database Connection
import psycopg2
from getSecrets import get_secret
db_config = get_secret('postgres-production')
connection = psycopg2.connect(
host=db_config['host'],
port=db_config.get('port', 5432),
database=db_config['database'],
user=db_config['username'],
password=db_config['password']
)
API Authentication
import requests
from getSecrets import get_secret
api_config = get_secret('external-api', repo='api-secrets')
headers = {
'Authorization': f"Bearer {api_config['api_token']}"
}
response = requests.get(api_config['api_url'], headers=headers)
Development
To build the documentation locally:
cd docs
pip install -r requirements.txt
make html
License
[Your License Here]
Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
Version
Current version: 1.5.23
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file get_hc_secrets-1.5.24.tar.gz.
File metadata
- Download URL: get_hc_secrets-1.5.24.tar.gz
- Upload date:
- Size: 9.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
27f42c5bafd56eb417527a3506f2b498d5b3cca8ed9e98546abdf032eff50ba1
|
|
| MD5 |
d202c94585154b04e9312f9bd8ea7a0a
|
|
| BLAKE2b-256 |
49e4f0140ad8467c350d34852b617906b7587bcd7ac8a26e2e52fc09614be80b
|
File details
Details for the file get_hc_secrets-1.5.24-py3-none-any.whl.
File metadata
- Download URL: get_hc_secrets-1.5.24-py3-none-any.whl
- Upload date:
- Size: 5.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
852265a0b3c14c3bb354ada64d5bd2f23b55c028abc9825a283fbde56887abcd
|
|
| MD5 |
257220e9e1a23c484742cced28508cb2
|
|
| BLAKE2b-256 |
15c17a2c2c092866bc1c1dcc6f146856af7eaa3af961ed72120956325c39c9bc
|
