Python SDK for Hush secret access via SPIFFE mTLS

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for hushsecurity2026 from gravatar.com hushsecurity2026

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: Apache-2.0
    SPDX License Expression
  • Author: Hush Security
  • Tags hush , secrets , spiffe , mtls , sdk , access-manager
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

hush-am-sdk-python

Python SDK for fetching secrets from the Hush access-manager via SPIFFE mTLS.

Requirements

  • Hush-am access-manager deployed in the cluster.
  • A SPIRE agent reachable in the pod (provides the SPIFFE SVID for mTLS).
  • The pod's workload identity is bound to a Hush policy granting access to the requested secrets.

Error handling

All SDK errors derive from HushError. Catch the base class for a generic fallback, or the specific subclasses where the caller can do something useful:

from hush import HushClient, HushSecretNotFoundError, HushError

try:
    with HushClient() as hush:
        creds = hush.get_secret("secret_name")
except HushSecretNotFoundError:
    ...  # secret missing or no access
except HushError as e:
    ...  # any other SDK failure

End-to-end example

The snippet below needs a Hush-am-instrumented runtime to actually fetch a secret — it cannot run from your laptop because there is no local SPIRE agent.

  1. Create a Hush-am policy that:

    • Includes an SDK delivery config that maps a secret to <secret_name> and maps the fields you intend to read (e.g. username, password, host).
    • Adds an attestation rule for the pod that will run the SDK, so its workload identity is bound to the policy.

  2. Install the SDK in the pod image:

    pip install hush-am-sdk

  3. Run this snippet inside the pod:

import sys
from hush import HushClient, HushError


def main() -> int:
    try:
        with HushClient() as hush:
            secret = hush.get_secret("<secret_name>")
            print(f"username: {secret['username']}")
            print(f"password: {secret['password']}")

            # Or fetch a single field directly:
            host = hush.get_secret_field("<secret_name>", "host")
            print(f"host: {host}")
    except HushError as exc:
        print(f"{type(exc).__name__}: {exc}", file=sys.stderr)
        return 1
    return 0


if __name__ == "__main__":
    sys.exit(main())

Additional features

Bearer token for user-claims filtering

Pass an optional bearer token to scope the request to a specific user's claims:

hush.get_secret("secret_name", token=user_jwt)
hush.get_secret_field("secret_name", "password", token=user_jwt)

Module-level helpers

Module-level convenience helpers backed by a singleton client are also available, so you don't need to manage a HushClient instance yourself:

from hush import get_secret, get_secret_field

creds = get_secret("secret_name")
password = get_secret_field("secret_name", "password")

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for hushsecurity2026 from gravatar.com hushsecurity2026

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: Apache-2.0
    SPDX License Expression
  • Author: Hush Security
  • Tags hush , secrets , spiffe , mtls , sdk , access-manager
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

0.3.0

This version

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

hush_am_sdk-0.2.0.tar.gz (19.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

hush_am_sdk-0.2.0-py3-none-any.whl (14.1 kB view details)

Uploaded Python 3

File details

Details for the file hush_am_sdk-0.2.0.tar.gz.

File metadata

  • Download URL: hush_am_sdk-0.2.0.tar.gz
  • Upload date:
  • Size: 19.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for hush_am_sdk-0.2.0.tar.gz
Algorithm Hash digest
SHA256 673d9d5ccde9389da28a924a05ee647db6dc91bfe7942c4a35a486f3d98a4298
MD5 c1dec1ddaf6e0a824060afe150150fd6
BLAKE2b-256 bf70808a5898ce1320f25d544ea72430ef51b137e2829ce3e4fcffa8122c9857

See more details on using hashes here.

Provenance

The following attestation bundles were made for hush_am_sdk-0.2.0.tar.gz:

Publisher: publish.yml on hushsecurity/hush-am-sdk-python

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file hush_am_sdk-0.2.0-py3-none-any.whl.

File metadata

  • Download URL: hush_am_sdk-0.2.0-py3-none-any.whl
  • Upload date:
  • Size: 14.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for hush_am_sdk-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 5dd45eba0c6b0fb99e62b75b56589eb79f0fcc5645a38b0d96e9abf6447c3ed4
MD5 c5a54f98916bbb229873b5f378235f8f
BLAKE2b-256 659ce80fd955becd473e2fe8a74af2e2f135cb978d606053c53c8f2d934e4ec8

See more details on using hashes here.

Provenance

The following attestation bundles were made for hush_am_sdk-0.2.0-py3-none-any.whl:

Publisher: publish.yml on hushsecurity/hush-am-sdk-python

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page