Python SDK for Hush secret access via SPIFFE mTLS

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for hushsecurity2026 from gravatar.com hushsecurity2026

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: Apache-2.0
    SPDX License Expression
  • Author: Hush Security
  • Tags hush , secrets , spiffe , mtls , sdk , access-manager
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

hush-am-sdk-python

Python SDK for fetching secrets from the Hush access-manager via SPIFFE mTLS.

Requirements

  • Hush-am access-manager deployed in the cluster.
  • A SPIRE agent reachable in the pod (provides the SPIFFE SVID for mTLS).
  • The pod's workload identity is bound to a Hush policy granting access to the requested secrets.

Error handling

All SDK errors derive from HushError. Catch the base class for a generic fallback, or the specific subclasses where the caller can do something useful:

from husham import HushClient, HushSecretNotFoundError, HushError

try:
    with HushClient() as hush:
        creds = hush.get_secret("secret_name")
except HushSecretNotFoundError:
    ...  # secret missing or no access
except HushError as e:
    ...  # any other SDK failure

End-to-end example

The snippet below needs a Hush-am-instrumented runtime to actually fetch a secret — it cannot run from your laptop because there is no local SPIRE agent.

  1. Create a Hush-am policy that:

    • Includes an SDK delivery config that maps a secret to <secret_name> and maps the fields you intend to read (e.g. username, password, host).
    • Adds an attestation rule for the pod that will run the SDK, so its workload identity is bound to the policy.

  2. Install the SDK in the pod image:

    pip install hush-am-sdk

  3. Run this snippet inside the pod:

import sys
from husham import HushClient, HushError


def main() -> int:
    try:
        with HushClient() as hush:
            secret = hush.get_secret("<secret_name>")
            print(f"username: {secret['username']}")
            print(f"password: {secret['password']}")

            # Or fetch a single field directly:
            host = hush.get_secret_field("<secret_name>", "host")
            print(f"host: {host}")
    except HushError as exc:
        print(f"{type(exc).__name__}: {exc}", file=sys.stderr)
        return 1
    return 0


if __name__ == "__main__":
    sys.exit(main())

Additional features

Bearer token for user-claims filtering

Pass an optional bearer token to scope the request to a specific user's claims:

hush.get_secret("secret_name", token=user_jwt)
hush.get_secret_field("secret_name", "password", token=user_jwt)

Module-level helpers

Module-level convenience helpers backed by a singleton client are also available, so you don't need to manage a HushClient instance yourself:

from husham import get_secret, get_secret_field

creds = get_secret("secret_name")
password = get_secret_field("secret_name", "password")

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for hushsecurity2026 from gravatar.com hushsecurity2026

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: Apache-2.0
    SPDX License Expression
  • Author: Hush Security
  • Tags hush , secrets , spiffe , mtls , sdk , access-manager
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

This version

0.3.0

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

hush_am_sdk-0.3.0.tar.gz (18.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

hush_am_sdk-0.3.0-py3-none-any.whl (14.2 kB view details)

Uploaded Python 3

File details

Details for the file hush_am_sdk-0.3.0.tar.gz.

File metadata

  • Download URL: hush_am_sdk-0.3.0.tar.gz
  • Upload date:
  • Size: 18.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for hush_am_sdk-0.3.0.tar.gz
Algorithm Hash digest
SHA256 0519952416dbb5c5aa29690b5628380a812f0f6a71d92541622f2be22dad668d
MD5 2ae5c0e5b299ed685da15f5571f2f46b
BLAKE2b-256 8711522bd98cacbb882e47dc7023f145b033593ecb4322435303269c8092fa41

See more details on using hashes here.

Provenance

The following attestation bundles were made for hush_am_sdk-0.3.0.tar.gz:

Publisher: publish.yml on hushsecurity/hush-am-sdk-python

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file hush_am_sdk-0.3.0-py3-none-any.whl.

File metadata

  • Download URL: hush_am_sdk-0.3.0-py3-none-any.whl
  • Upload date:
  • Size: 14.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for hush_am_sdk-0.3.0-py3-none-any.whl
Algorithm Hash digest
SHA256 1ba8b770a8aa7e436fc43896a95e07b316782f29b67f7904fe1aa66a6aa505a9
MD5 c2fd04fe8823755772caf9b1932998a0
BLAKE2b-256 0c241191aa77e2f600542840d52df155e9e11a68d4cfc36ee7daa3b1a2ae863e

See more details on using hashes here.

Provenance

The following attestation bundles were made for hush_am_sdk-0.3.0-py3-none-any.whl:

Publisher: publish.yml on hushsecurity/hush-am-sdk-python

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page