Skip to main content

Official Infisical SDK for Python

Project description

infisical

Open-source, end-to-end encrypted tool to manage secrets and configs across your team and infrastructure.

Table of Contents

Links

Basic Usage

from flask import Flask
from infisical import InfisicalClient

app = Flask(__name__)

client = InfisicalClient(token="your_infisical_token")

@app.route("/")
def hello_world():
    # access value
    name = client.get_secret("NAME", environment="dev", path="/")
    return f"Hello! My name is: {name.secret_value}"

This example demonstrates how to use the Infisical Python SDK with a Flask application. The application retrieves a secret named "NAME" and responds to requests with a greeting that includes the secret value.

It is also possible to use the SDK to encrypt/decrypt text; the implementation uses aes-256-gcm with components of the encryption/decryption encoded in base64.

from infisical import InfisicalClient

client = InfisicalClient()

# some plaintext you want to encrypt
plaintext = 'The quick brown fox jumps over the lazy dog'

# create a base64-encoded, 256-bit symmetric key
key = client.create_symmetric_key()

# encrypt
ciphertext, iv, tag = client.encrypt_symmetric(plaintext, key)

# decrypt
cleartext = client.decrypt_symmetric(ciphertext, key, iv, tag)

Installation

You need Python 3.7+.

$ pip install infisical

Configuration

Import the SDK and create a client instance with your Infisical Token.

from infisical import InfisicalClient

client = InfisicalClient(token="your_infisical_token")

Options

Parameter Type Description
token string An Infisical Token scoped to a project and environment.
site_url string Your self-hosted Infisical site URL. Default: https://app.infisical.com.
cache_ttl number Time-to-live (in seconds) for refreshing cached secrets. Default: 300.
debug boolean Turns debug mode on or off. Default: false.

Caching

The SDK caches every secret and updates it periodically based on the provided cache_ttl. For example, if cache_ttl of 300 is provided, then a secret will be refetched 5 minutes after the first fetch; if the fetch fails, the cached secret is returned.

Secrets

Get Secrets

secrets = client.get_all_secrets(environment="dev", path="/foo/bar/")

Retrieve all secrets within a given environment and folder path. The service token used must have access to the given path and environment.

Parameters

  • environment (string): The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
  • path (string): The path from where secrets should be fetched from.

Get Secret

secret = client.get_secret("API_KEY", environment="dev", path="/")
value = secret.secret_value # get its value

By default, get_secret() fetches and returns a personal secret. If not found, it returns a shared secret, or tries to retrieve the value from os.environ. If a secret is fetched, get_secret() caches it to reduce excessive calls and re-fetches periodically based on the cacheTTL option (default is 300 seconds) when initializing the client — for more information, see the caching section.

To explicitly retrieve a shared secret:

secret = client.get_secret(secret_name="API_KEY", type="shared", environment="dev", path="/")
value = secret.secret_value # get its value

Parameters

  • secret_name (string): The key of the secret to retrieve.
  • environment (string): The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
  • path (string): The path from where secrets should be fetched from.
  • type (string, optional): The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "personal".

Create Secret

Create a new secret in Infisical

new_api_key = client.create_secret("API_KEY", "FOO", environment="dev", path="/", type="shared")

Parameters

  • secret_name (string): The key of the secret to create.
  • secret_value (string): The value of the secret.
  • environment (string): The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
  • path (string): The path from where secrets should be created.
  • type (string, optional): The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared". A personal secret can only be created if a shared secret with the same name exists.

Update Secret

Update an existing secret in Infisical

updated_api_key = client.update_secret("API_KEY", "BAR", environment="dev", path="/", type="shared")

Parameters

  • secret_name (string): The key of the secret to update.
  • secret_value (string): The new value of the secret.
  • environment (string): The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
  • path (string): The path from where secrets should be updated.
  • type (string, optional): The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".

Delete Secret

Delete a secret in Infisical

deleted_secret = client.delete_secret("API_KEY", environment="dev", path="/", type="shared")

Parameters

  • secret_name (string): The key of the secret to delete.
  • environment (string): The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
  • path (string): The path from where secrets should be deleted.
  • type (string, optional): The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".

Cryptography

Create Symmetric Key

Create a base64-encoded, 256-bit symmetric key to be used for encryption/decryption.

key = client.create_symmetric_key()

Returns

key (string): A base64-encoded, 256-bit symmetric key.

Encrypt Symmetric

Encrypt plaintext -> ciphertext.

ciphertext, iv, tag = client.encrypt_symmetric(plaintext, key)

Parameters

  • plaintext (string): The plaintext to encrypt.
  • key (string): The base64-encoded, 256-bit symmetric key to use to encrypt the plaintext.

Returns

  • ciphertext (string): The base64-encoded, encrypted plaintext.
  • iv (string): The base64-encoded, 96-bit initialization vector generated for the encryption.
  • tag (string): The base64-encoded authentication tag generated during the encryption.

Decrypt Symmetric

Decrypt ciphertext -> plaintext/cleartext.

cleartext = client.decrypt_symmetric(ciphertext, key, iv, tag)

Parameters

  • ciphertext (string): The ciphertext to decrypt.
  • key (string): The base64-encoded, 256-bit symmetric key to use to decrypt the ciphertext.
  • iv (string): The base64-encoded, 96-bit initiatlization vector generated for the encryption.
  • tag (string): The base64-encoded authentication tag generated during encryption.

Returns

cleartext (string): The decrypted encryption that is the cleartext/plaintext.

Contributing

Bug fixes, docs, and library improvements are always welcome. Please refer to our Contributing Guide for detailed information on how you can contribute.

Getting Started

If you want to familiarize yourself with the SDK, you can start by forking the repository and cloning it in your local development environment.

After cloning the repository, we recommend that you create a virtual environment:

$ python -m venv env

Then activate the environment with:

# For linux
$ source ./env/bin/activate

# For Windows PowerShell
$ .\env\Scripts\Activate.ps1

Make sure that you have the latest version of pip to avoid errors on the next step:

$ python -m pip install --upgrade pip

Then install the project in editable mode and the dependencies with:

$ pip install -e '.[dev,test]'

To run existing tests, you need to make a .env at the root of this project containing a INFISICAL_TOKEN and SITE_URL. This will execute the tests against a project and environment scoped to the INFISICAL_TOKEN on a running instance of Infisical at the SITE_URL (this could be Infisical Cloud).

To run all the tests you can use the following command:

$ pytest tests

License

infisical-python is distributed under the terms of the MIT license.

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

infisical-1.4.1.tar.gz (16.4 kB view details)

Uploaded Source

Built Distribution

infisical-1.4.1-py3-none-any.whl (19.7 kB view details)

Uploaded Python 3

File details

Details for the file infisical-1.4.1.tar.gz.

File metadata

  • Download URL: infisical-1.4.1.tar.gz
  • Upload date:
  • Size: 16.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: python-httpx/0.23.3

File hashes

Hashes for infisical-1.4.1.tar.gz
Algorithm Hash digest
SHA256 cb69a79cd35ccf989cdbd89453500b98d057dfccd9ec70cb45914b20edb10235
MD5 910dfdefcfff7950394f5f9c78d3c786
BLAKE2b-256 631d3246ba793fd04ddc1406d5ce5edd01d5ca7c75af2c544abc771e9e4d6fb3

See more details on using hashes here.

File details

Details for the file infisical-1.4.1-py3-none-any.whl.

File metadata

  • Download URL: infisical-1.4.1-py3-none-any.whl
  • Upload date:
  • Size: 19.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: python-httpx/0.23.3

File hashes

Hashes for infisical-1.4.1-py3-none-any.whl
Algorithm Hash digest
SHA256 81e19e9c13031a9c34907864840816513094e7cb90c0f13b72d09ab4bda8ff5b
MD5 ffdb06cfb3ca9ac7e221db7801c42112
BLAKE2b-256 f7fed0f2933e706723a3ad058d1c52b0ed70e8dfcc6fc89be0227bf3f1548191

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page